Solved: Re: Flooring the minutes of a strftime eval - Splunk Community

Splunk Search

earliest=-14d@d latest=-0d@d ns=email msg=send country="United Kingdom" | eval time=strftime(_time,"%H:%M") | chart count by time, msg

In the query above, I'd like to floor the %M by 5 minutes so that sums of every 5 minutes are displayed instead of every minute. Is this possible?

Or maybe even some sort of groupby function that I can apply?

1 Solution

Solution

 earliest=-14d@d latest=-0d@d ns=email msg=send country="United Kingdom" | eval time=strftime(_time,"%H:%M") | bucket _time span=5m | chart count by _time, msg

View solution in original post

Solution

 earliest=-14d@d latest=-0d@d ns=email msg=send country="United Kingdom" | eval time=strftime(_time,"%H:%M") | bucket _time span=5m | chart count by _time, msg

Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...