Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk search offset

aaronkorn
Splunk Employee
Splunk Employee
‎05-08-2013 08:48 AM

Is there a way to offset a search by 5 min? We currently have a search that returns the user count for a 5 min window for the last 4 hours but in the time that it collects the user count to the current time it creates a lot of confusion within app teams here as the count is low until that 5 min aggregation period is over. I would essentially want the search to return the count from 4 hours ago to the current time - 5 min.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎05-08-2013 09:45 AM

Have a look at:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/SearchTimeModifiers

latest and earliest are your friends

Edit:

Sorry my first answer was a bit short I could/should have given you an example.

Your suggestion works very well, I tend to just use earliest & latest because I can't remember the all the other keywords and if you work with savedsearches (or if you start developing dashboards) you only have the earliest & latest as the delimiters of your time frame

alt text

One thing that can be important depending on the search is that the time-modifiers will snap to a time,
-4h@h is not the same as -4h@s. And just to make things a little more complicated the timemodifiers can be chained. A useful trick to find out the span/time window that you are searching when playing with time modifiers is to use the addinfo command. You can then easily calculate your span.

This example will search over a time window of 4h starting 5 minutes in the past:

index=_internal GET earliest=-4h@m-5m latest=-5m@m | addinfo | eval span=(info_max_time-info_min_time)/3600

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎05-08-2013 09:45 AM

Have a look at:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/SearchTimeModifiers

latest and earliest are your friends

Edit:

Sorry my first answer was a bit short I could/should have given you an example.

Your suggestion works very well, I tend to just use earliest & latest because I can't remember the all the other keywords and if you work with savedsearches (or if you start developing dashboards) you only have the earliest & latest as the delimiters of your time frame

alt text

One thing that can be important depending on the search is that the time-modifiers will snap to a time,
-4h@h is not the same as -4h@s. And just to make things a little more complicated the timemodifiers can be chained. A useful trick to find out the span/time window that you are searching when playing with time modifiers is to use the addinfo command. You can then easily calculate your span.

This example will search over a time window of 4h starting 5 minutes in the past:

index=_internal GET earliest=-4h@m-5m latest=-5m@m | addinfo | eval span=(info_max_time-info_min_time)/3600
Reply
Solved! Jump to solution

aaronkorn
Splunk Employee
Splunk Employee
‎05-10-2013 11:33 AM

Thank you very much!

0 Karma
Reply
Solved! Jump to solution

aaronkorn
Splunk Employee
Splunk Employee
‎05-09-2013 08:20 AM

so i could add something like this: earliest=-8h endminutesago=5

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...