Knowledge Management

How to create a search for a macro that finds events closest to a specified time?

mcarp
Explorer

I am attempting to create a macro that allows searchers to pass a specific time into a search command that will locate the top 3 matching events that are closest to that specific time, snapped to the minute. That is, if a user passes 10/02/2015:14:30:0, and there are matching events at 14:23, 14:25, 14:31, 14:32, and 14:35, I want it to return the events at 14:25, 14:31, and 14:32.

As a preliminary step, I tried to run a basic search looking for all events within 30 minutes of the specified time, and I'm having trouble even reaching that point. I've tried using earliest=relative_time($time$, "-30m"), but am getting syntax errors that suggest to me that Splunk doesn't like to be handed specific times in the relative_time function.

Any suggestions for finding events close to a specific time (including formats that I need to use to pass specific times to the macro) would be much appreciated. Even more appreciated would be additional suggestions for locating the top events closest to that time, snapped to the minute.

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

The following search code assumes that you are entering $targettime$ in epoch time format. It selects the time range within 1/2 hour of the target time value, calculates the difference from target time, and returns the five closest events.

earliest=$targettime$-30m@m latest=$targettime$+30m@m
"search text"
| eval DeltaTime = abs(_time - $targettime$)
| sort 0 Deltatime
| head 5


edited to use sort 0 rather than sort, just in case more than 100 results were received.

0 Karma

muebel
SplunkTrust
SplunkTrust

It seems that the localize and map commands might get you close to what you want : http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Localize

Let me know how that works.

0 Karma

mcarp
Explorer

This looks like exactly what I need--thanks!

mcarp
Explorer

Okay, after some more work on this it looks like this gets me halfway there. The other half is being able to feed a specific time into a search without using the time range picker, and then finding events on the basis of their distance from that specific time.

It's not clear to me that this can even be done, but I would also not be surprised if the answer is embarrassingly simple.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...