Dashboards & Visualizations

splunk search offset

aaronkorn
Splunk Employee
Splunk Employee

Is there a way to offset a search by 5 min? We currently have a search that returns the user count for a 5 min window for the last 4 hours but in the time that it collects the user count to the current time it creates a lot of confusion within app teams here as the count is low until that 5 min aggregation period is over. I would essentially want the search to return the count from 4 hours ago to the current time - 5 min.

Tags (3)
0 Karma
1 Solution

chris
Motivator

Have a look at:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/SearchTimeModifiers

latest and earliest are your friends

Edit:

Sorry my first answer was a bit short I could/should have given you an example.

Your suggestion works very well, I tend to just use earliest & latest because I can't remember the all the other keywords and if you work with savedsearches (or if you start developing dashboards) you only have the earliest & latest as the delimiters of your time frame

alt text

One thing that can be important depending on the search is that the time-modifiers will snap to a time,
-4h@h is not the same as -4h@s. And just to make things a little more complicated the timemodifiers can be chained. A useful trick to find out the span/time window that you are searching when playing with time modifiers is to use the addinfo command. You can then easily calculate your span.

This example will search over a time window of 4h starting 5 minutes in the past:

index=_internal GET earliest=-4h@m-5m latest=-5m@m | addinfo | eval span=(info_max_time-info_min_time)/3600

View solution in original post

chris
Motivator

Have a look at:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/SearchTimeModifiers

latest and earliest are your friends

Edit:

Sorry my first answer was a bit short I could/should have given you an example.

Your suggestion works very well, I tend to just use earliest & latest because I can't remember the all the other keywords and if you work with savedsearches (or if you start developing dashboards) you only have the earliest & latest as the delimiters of your time frame

alt text

One thing that can be important depending on the search is that the time-modifiers will snap to a time,
-4h@h is not the same as -4h@s. And just to make things a little more complicated the timemodifiers can be chained. A useful trick to find out the span/time window that you are searching when playing with time modifiers is to use the addinfo command. You can then easily calculate your span.

This example will search over a time window of 4h starting 5 minutes in the past:

index=_internal GET earliest=-4h@m-5m latest=-5m@m | addinfo | eval span=(info_max_time-info_min_time)/3600

aaronkorn
Splunk Employee
Splunk Employee

Thank you very much!

0 Karma

aaronkorn
Splunk Employee
Splunk Employee

so i could add something like this: earliest=-8h endminutesago=5

0 Karma
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...