Other Usage
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Latest set to most recent increment of 5 minutes

dstuder
Communicator
‎12-21-2021 10:05 AM

I've got a report that is run on a schedule every five minutes. I would like the "latest" to be set to the most recent increment of 5 minutes. This solution used to work but no longer appears to. Does anyone have any thoughts for how to achieve this? I cannot simply rely on latest=now() because the report certainly will not always run exactly at the correct time. So, I need to be able to snap to the latest 5 minutes so that my counts do not get improperly calculated.

Edit:

Here is my base search. I'm trying to get latest to snap to the most recent five minute increment. It's not returning any results.

index=_internal source=*license_usage.log* type=Usage earliest=-0d@d ([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

However, if I do something like this is does return results. I don't want this ... I was just testing to see if the syntax was messed up or something. The above base search is what I want because it snaps latest to the most recent five minute increment of the hour.

index=_internal source=*license_usage.log* type=Usage earliest=-0d@d ([makeresults | eval latest=relative_time(now(), "-m") | fields latest])

 Why does relative_time(now(), "-m") work but (floor(now()/300))*300 doesn't?

Labels (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dstuder
Communicator
‎12-21-2021 11:40 AM

After much fiddling I figured it out and its odd. The issue was the extra parenthesis around the floor. So this does not work.

([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

 But this does work. Not sure why it cares about the extra parenthesis ... but oh well.

([makeresults | eval latest=floor(now()/300)*300 | fields latest])

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dstuder
Communicator
‎12-21-2021 11:40 AM

After much fiddling I figured it out and its odd. The issue was the extra parenthesis around the floor. So this does not work.

([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

 But this does work. Not sure why it cares about the extra parenthesis ... but oh well.

([makeresults | eval latest=floor(now()/300)*300 | fields latest])

 

Reply
Solved! Jump to solution

Stefanie
Builder
‎12-21-2021 10:34 AM

What is your search and what is it returning instead of the most recent 5 minutes?

If youre looking to run the report using data from 5 minutes ago, you would use earliest=-5m .

0 Karma
Reply
Solved! Jump to solution

dstuder
Communicator
‎12-21-2021 11:10 AM

I'm trying to get everything today snapped to the most recent five minute increment. So, if it ran at 9:42 AM I would get everything today up to 9:40 AM.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...