Hi all,

I'm looking for something like seq for times in Splunk.

One example:

|seq from=now to=1d span=4h

would generate events with _time as

• [now+ 0h]
• [now+ 4h]
• [now+ 8h]
• [now+12h]
• [now+16h]
• [now+20h]
• [now+24h]

Do you know of a way to achieve this behavior? bucket and bin work similar, but need a start and end event. That's why the next best thing I could build was

|stats count | fields - count |eval _time=now()-7*24*3600 |append [|stats count | fields - count |eval _time=now()+21*24*3600] | bucket _time span=4h |makecontinuous _time span=4h

which is not very nice to look at and only approximately what I wanted (start and end don't exactly match).