Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

I want to do `latest=-10m@5m`

HattrickNZ
Motivator
‎07-24-2019 02:31 PM

I want to do latest=-10m@5m

But I am discovering I cannot do the @5m, I can only do
@m @h @d @mon @y

the reason for wanting the @5m is because the complete data does not come in until the full 5minutes is complete.
And if I can only use @m the if I look at the graph at X:58 (for example) the graph will show a drop as the full 5 minutes of data will not be available to be shown. So I want to show the full previous 5minutes(up to X:55).

Any ideas of ways around this? tks

Tags (3)
0 Karma
Reply

maheshsn
Explorer
‎07-29-2019 02:28 PM

I would try this : |timechart partial=false span=5min

Reply

nvanderwalt_spl
Splunk Employee
Splunk Employee
‎07-28-2019 04:33 PM

Sounds like you don't want partial results at the end.

If you are visualising with timechart, try

|timechart partial=false count by whatever
Reply

HattrickNZ
Motivator
‎07-30-2019 01:48 PM

tks, as already mentioned by @MuS partial=false seems to b what I want
- How does it make its decisions?
- Is it tied to the span=5m and the current time?
my understanding is that it won't display the X.25 - X.30 data, in that time, until the time has passed the X.30+ e.g. X.31 or X.30.01

0 Karma
Reply

adonio
Ultra Champion
‎07-24-2019 06:14 PM

try this:

earliest=-10m@m latest=-5m@m

hope it helps

0 Karma
Reply

HattrickNZ
Motivator
‎07-24-2019 06:34 PM

tks
the @m of latest=-5m@m will bring it to the close minute. e.g. if i run the query/graph @ X:58 then the query/graph will run up X:53.

What i want is to Run the query/graph up to X:50.

Or What is want is to Run the query/graph up to X:00, X:05, X:10...X:50, X:5 (5 minute intervals only). Not other times outside of this and independent of when the query/graph is run.

0 Karma
Reply

MuS
Legend
‎07-24-2019 06:46 PM

I would try | bin _time span=5m | stats values(*) AS * by _time and see if this helps to solve your problem.

cheers, MuS

Reply

HattrickNZ
Motivator
‎07-28-2019 03:59 PM

i can't get that to work and don't think it can as that does not allow me to control the latest time to be @ a 5minute end time e.g. X.05, X.10, .... x.55

0 Karma
Reply

MuS
Legend
‎07-28-2019 06:44 PM

try this:

what ever search here earliest=-0h@h | timechart span=5min partial=f count

This will search the current hour and only returns events for chunks of 5 minutes, where the 5 minutes already have passed and the chunk is complete.

cheers, MuS

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...