I have the need to filter the results of my search to only show 30 minutes of consecutive 5 minute time buckets. In other words, 6 consecutive time buckets.
Example of results I want to see
9:00 am. My event
9:05 am. My event
9:10 am. My event
9:15 am. My event
9:20 am My event
9:25 am. My event
But, I do not want to show any results of it is like below
6:35 am. My event
6:40 am My event
9:05 am. My event
9:10 am My event
Also one additional caveat. It is possible that my results could show 6 sequential buckets and more events that are not sequential because my time range is 12 hours. In this case o want to cut out the non sequential buckets and only display of there are 6 sequential buckets.
Hi, three examples are below. You can google each command to get more details. There are other options like min-span and more.
...|timechart bins=6 ... (Time picker set to last 30min) ...|timechart span=5m ... ...|bin span=5m|...
For the six consecutive request... You'd have to use some additional logic / magic. Something like using transaction and the span of time equal to 30 minutes then a mvzip followed by a mvexpand and then a where count > 5
This almost works! The only problem I have with using timechart is that sometimes my 6 time buckets might be split between two span buckets. For instance the first of the six events starts at 9:50 and goes to 10:15.
In that case I will have six consecutive 5 minute buckets but they will be split into 2 different 30 minute buckets.
Can I somehow use transaction in this case?
Do you mean your time selector is set to 12 hours, but you only want to display 30 minutes of that?
One way to do this is by overriding the time range selector.
... othersearchterms earliest=-30m@m ... | other search stuff
There's an equivalent
latest=x command too, so 60 minutes to 30 minutes ago would be
earliest=-60m latest=-30m. You can snap them to minutes or do other time manipulation.
If instead you don't know which time frame ahead of time, then we may need a bit more information. Like, which set of 6 times do you want - any sequence of 6 in a row? Only a particular sequence of 6 in a row (and how do you know which one you want)? A sliding window of the sum/total/whatever of the previous 6? An example that covers that specifically would be very helpful if that's the case.
I have the timerange set to 12 hours because my search is trying to detect a pattern of events in the last 12 hours. But, i'm only interested in seeing results when that pattern is detected for 30 minutes straight (6 consecutive 5 min time buckets)