Dashboards & Visualizations
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

splunk search offset

aaronkorn
Splunk Employee
Splunk Employee
‎05-08-2013 08:48 AM

Is there a way to offset a search by 5 min? We currently have a search that returns the user count for a 5 min window for the last 4 hours but in the time that it collects the user count to the current time it creates a lot of confusion within app teams here as the count is low until that 5 min aggregation period is over. I would essentially want the search to return the count from 4 hours ago to the current time - 5 min.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎05-08-2013 09:45 AM

Have a look at:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/SearchTimeModifiers

latest and earliest are your friends

Edit:

Sorry my first answer was a bit short I could/should have given you an example.

Your suggestion works very well, I tend to just use earliest & latest because I can't remember the all the other keywords and if you work with savedsearches (or if you start developing dashboards) you only have the earliest & latest as the delimiters of your time frame

alt text

One thing that can be important depending on the search is that the time-modifiers will snap to a time,
-4h@h is not the same as -4h@s. And just to make things a little more complicated the timemodifiers can be chained. A useful trick to find out the span/time window that you are searching when playing with time modifiers is to use the addinfo command. You can then easily calculate your span.

This example will search over a time window of 4h starting 5 minutes in the past:

index=_internal GET earliest=-4h@m-5m latest=-5m@m | addinfo | eval span=(info_max_time-info_min_time)/3600

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎05-08-2013 09:45 AM

Have a look at:
http://docs.splunk.com/Documentation/Splunk/5.0.2/SearchReference/SearchTimeModifiers

latest and earliest are your friends

Edit:

Sorry my first answer was a bit short I could/should have given you an example.

Your suggestion works very well, I tend to just use earliest & latest because I can't remember the all the other keywords and if you work with savedsearches (or if you start developing dashboards) you only have the earliest & latest as the delimiters of your time frame

alt text

One thing that can be important depending on the search is that the time-modifiers will snap to a time,
-4h@h is not the same as -4h@s. And just to make things a little more complicated the timemodifiers can be chained. A useful trick to find out the span/time window that you are searching when playing with time modifiers is to use the addinfo command. You can then easily calculate your span.

This example will search over a time window of 4h starting 5 minutes in the past:

index=_internal GET earliest=-4h@m-5m latest=-5m@m | addinfo | eval span=(info_max_time-info_min_time)/3600
Reply
Solved! Jump to solution

aaronkorn
Splunk Employee
Splunk Employee
‎05-10-2013 11:33 AM

Thank you very much!

0 Karma
Reply
Solved! Jump to solution

aaronkorn
Splunk Employee
Splunk Employee
‎05-09-2013 08:20 AM

so i could add something like this: earliest=-8h endminutesago=5

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study: How LSU’s Student-Powered SOCs and Splunk Are Shaping the Future of ...

Louisiana State University (LSU) is shaping the next generation of cybersecurity professionals through its ...

Splunk and Fraud

Join us on November 13 at 11 am PT / 2 pm ET!Join us for an insightful webinar where we delve into the ...

Build Your First SPL2 App!

Watch the recording now!.Do you want to SPL™, too? SPL2, Splunk's next-generation data search and preparation ...