I am attempting to create a macro that allows searchers to pass a specific time into a search command that will locate the top 3 matching events that are closest to that specific time, snapped to the minute. That is, if a user passes
10/02/2015:14:30:0, and there are matching events at 14:23, 14:25, 14:31, 14:32, and 14:35, I want it to return the events at 14:25, 14:31, and 14:32.
As a preliminary step, I tried to run a basic search looking for all events within 30 minutes of the specified time, and I'm having trouble even reaching that point. I've tried using
earliest=relative_time($time$, "-30m"), but am getting syntax errors that suggest to me that Splunk doesn't like to be handed specific times in the relative_time function.
Any suggestions for finding events close to a specific time (including formats that I need to use to pass specific times to the macro) would be much appreciated. Even more appreciated would be additional suggestions for locating the top events closest to that time, snapped to the minute.
The following search code assumes that you are entering $targettime$ in epoch time format. It selects the time range within 1/2 hour of the target time value, calculates the difference from target time, and returns the five closest events.
| eval DeltaTime = abs(_time - $targettime$)
| sort 0 Deltatime
| head 5
edited to use sort 0 rather than sort, just in case more than 100 results were received.
Okay, after some more work on this it looks like this gets me halfway there. The other half is being able to feed a specific time into a search without using the time range picker, and then finding events on the basis of their distance from that specific time.
It's not clear to me that this can even be done, but I would also not be surprised if the answer is embarrassingly simple.