Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk search offset

aaronkorn
Splunk Employee
Splunk Employee
‎05-08-2013 08:48 AM

Is there a way to offset a search by 5 min? We currently have a search that returns the user count for a 5 min window for the last 4 hours but in the time that it collects the user count to the current time it creates a lot of confusion within app teams here as the count is low until that 5 min aggregation period is over. I would essentially want the search to return the count from 4 hours ago to the current time - 5 min.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎05-08-2013 09:45 AM

Have a look at:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/SearchTimeModifiers

latest and earliest are your friends

Edit:

Sorry my first answer was a bit short I could/should have given you an example.

Your suggestion works very well, I tend to just use earliest & latest because I can't remember the all the other keywords and if you work with savedsearches (or if you start developing dashboards) you only have the earliest & latest as the delimiters of your time frame

alt text

One thing that can be important depending on the search is that the time-modifiers will snap to a time,
-4h@h is not the same as -4h@s. And just to make things a little more complicated the timemodifiers can be chained. A useful trick to find out the span/time window that you are searching when playing with time modifiers is to use the addinfo command. You can then easily calculate your span.

This example will search over a time window of 4h starting 5 minutes in the past:

index=_internal GET earliest=-4h@m-5m latest=-5m@m | addinfo | eval span=(info_max_time-info_min_time)/3600

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎05-08-2013 09:45 AM

Have a look at:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/SearchTimeModifiers

latest and earliest are your friends

Edit:

Sorry my first answer was a bit short I could/should have given you an example.

Your suggestion works very well, I tend to just use earliest & latest because I can't remember the all the other keywords and if you work with savedsearches (or if you start developing dashboards) you only have the earliest & latest as the delimiters of your time frame

alt text

One thing that can be important depending on the search is that the time-modifiers will snap to a time,
-4h@h is not the same as -4h@s. And just to make things a little more complicated the timemodifiers can be chained. A useful trick to find out the span/time window that you are searching when playing with time modifiers is to use the addinfo command. You can then easily calculate your span.

This example will search over a time window of 4h starting 5 minutes in the past:

index=_internal GET earliest=-4h@m-5m latest=-5m@m | addinfo | eval span=(info_max_time-info_min_time)/3600
Reply
Solved! Jump to solution

aaronkorn
Splunk Employee
Splunk Employee
‎05-10-2013 11:33 AM

Thank you very much!

0 Karma
Reply
Solved! Jump to solution

aaronkorn
Splunk Employee
Splunk Employee
‎05-09-2013 08:20 AM

so i could add something like this: earliest=-8h endminutesago=5

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...