I am attempting to create a macro that allows searchers to pass a specific time into a search command that will locate the top 3 matching events that are closest to that specific time, snapped to the minute. That is, if a user passes 10/02/2015:14:30:0
, and there are matching events at 14:23, 14:25, 14:31, 14:32, and 14:35, I want it to return the events at 14:25, 14:31, and 14:32.
As a preliminary step, I tried to run a basic search looking for all events within 30 minutes of the specified time, and I'm having trouble even reaching that point. I've tried using earliest=relative_time($time$, "-30m")
, but am getting syntax errors that suggest to me that Splunk doesn't like to be handed specific times in the relative_time function.
Any suggestions for finding events close to a specific time (including formats that I need to use to pass specific times to the macro) would be much appreciated. Even more appreciated would be additional suggestions for locating the top events closest to that time, snapped to the minute.
The following search code assumes that you are entering $targettime$ in epoch time format. It selects the time range within 1/2 hour of the target time value, calculates the difference from target time, and returns the five closest events.
earliest=$targettime$-30m@m latest=$targettime$+30m@m
"search text"
| eval DeltaTime = abs(_time - $targettime$)
| sort 0 Deltatime
| head 5
edited to use sort 0 rather than sort, just in case more than 100 results were received.
It seems that the localize and map commands might get you close to what you want : http://docs.splunk.com/Documentation/Splunk/6.2.5/SearchReference/Localize
Let me know how that works.
This looks like exactly what I need--thanks!
Okay, after some more work on this it looks like this gets me halfway there. The other half is being able to feed a specific time into a search without using the time range picker, and then finding events on the basis of their distance from that specific time.
It's not clear to me that this can even be done, but I would also not be surprised if the answer is embarrassingly simple.