Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create a search for a macro that finds events closest to a specified time?

mcarp
Explorer
‎10-07-2015 08:21 AM

I am attempting to create a macro that allows searchers to pass a specific time into a search command that will locate the top 3 matching events that are closest to that specific time, snapped to the minute. That is, if a user passes 10/02/2015:14:30:0, and there are matching events at 14:23, 14:25, 14:31, 14:32, and 14:35, I want it to return the events at 14:25, 14:31, and 14:32.

As a preliminary step, I tried to run a basic search looking for all events within 30 minutes of the specified time, and I'm having trouble even reaching that point. I've tried using earliest=relative_time($time$, "-30m"), but am getting syntax errors that suggest to me that Splunk doesn't like to be handed specific times in the relative_time function.

Any suggestions for finding events close to a specific time (including formats that I need to use to pass specific times to the macro) would be much appreciated. Even more appreciated would be additional suggestions for locating the top events closest to that time, snapped to the minute.

0 Karma
Reply

DalJeanis
Legend
‎01-05-2017 12:07 PM

The following search code assumes that you are entering $targettime$ in epoch time format. It selects the time range within 1/2 hour of the target time value, calculates the difference from target time, and returns the five closest events.

earliest=$targettime$-30m@m latest=$targettime$+30m@m
"search text"
| eval DeltaTime = abs(_time - $targettime$)
| sort 0 Deltatime
| head 5

edited to use sort 0 rather than sort, just in case more than 100 results were received.

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎10-07-2015 06:58 PM

It seems that the localize and map commands might get you close to what you want : http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Localize

Let me know how that works.

0 Karma
Reply

mcarp
Explorer
‎10-08-2015 08:50 AM

This looks like exactly what I need--thanks!

Reply

mcarp
Explorer
‎10-08-2015 01:36 PM

Okay, after some more work on this it looks like this gets me halfway there. The other half is being able to feed a specific time into a search without using the time range picker, and then finding events on the basis of their distance from that specific time.

It's not clear to me that this can even be done, but I would also not be surprised if the answer is embarrassingly simple.

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...