Other Usage
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Latest set to most recent increment of 5 minutes

dstuder
Communicator
‎12-21-2021 10:05 AM

I've got a report that is run on a schedule every five minutes. I would like the "latest" to be set to the most recent increment of 5 minutes. This solution used to work but no longer appears to. Does anyone have any thoughts for how to achieve this? I cannot simply rely on latest=now() because the report certainly will not always run exactly at the correct time. So, I need to be able to snap to the latest 5 minutes so that my counts do not get improperly calculated.

Edit:

Here is my base search. I'm trying to get latest to snap to the most recent five minute increment. It's not returning any results.

index=_internal source=*license_usage.log* type=Usage earliest=-0d@d ([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

However, if I do something like this is does return results. I don't want this ... I was just testing to see if the syntax was messed up or something. The above base search is what I want because it snaps latest to the most recent five minute increment of the hour.

index=_internal source=*license_usage.log* type=Usage earliest=-0d@d ([makeresults | eval latest=relative_time(now(), "-m") | fields latest])

 Why does relative_time(now(), "-m") work but (floor(now()/300))*300 doesn't?

Labels (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dstuder
Communicator
‎12-21-2021 11:40 AM

After much fiddling I figured it out and its odd. The issue was the extra parenthesis around the floor. So this does not work.

([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

 But this does work. Not sure why it cares about the extra parenthesis ... but oh well.

([makeresults | eval latest=floor(now()/300)*300 | fields latest])

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dstuder
Communicator
‎12-21-2021 11:40 AM

After much fiddling I figured it out and its odd. The issue was the extra parenthesis around the floor. So this does not work.

([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

 But this does work. Not sure why it cares about the extra parenthesis ... but oh well.

([makeresults | eval latest=floor(now()/300)*300 | fields latest])

 

Reply
Solved! Jump to solution

Stefanie
Builder
‎12-21-2021 10:34 AM

What is your search and what is it returning instead of the most recent 5 minutes?

If youre looking to run the report using data from 5 minutes ago, you would use earliest=-5m .

0 Karma
Reply
Solved! Jump to solution

dstuder
Communicator
‎12-21-2021 11:10 AM

I'm trying to get everything today snapped to the most recent five minute increment. So, if it ran at 9:42 AM I would get everything today up to 9:40 AM.

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...