Hi all,
I'm looking for something like seq for times in Splunk.
One example:
|seq from=now to=1d span=4h
would generate events with _time as
- [now+ 0h]
- [now+ 4h]
- [now+ 8h]
- [now+12h]
- [now+16h]
- [now+20h]
- [now+24h]
Do you know of a way to achieve this behavior? bucket and bin work similar, but need a start and end event. That's why the next best thing I could build was
|stats count | fields - count |eval _time=now()-7*24*3600 |append [|stats count | fields - count |eval _time=now()+21*24*3600] | bucket _time span=4h |makecontinuous _time span=4h
which is not very nice to look at and only approximately what I wanted (start and end don't exactly match).
