Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Get 10 minutes before 1 minute

mkoh
New Member
‎04-23-2018 06:47 PM

If I search, I can see the count value of each field for one minute, and also want to know the sum count value 10 minutes before that.

For example
At FFM_count 2 on 20170101 00:15:00
Please see the FFM_count sum from 201701 00:04 to 201701 00:14.

Is it possible for a splunk to express this way?
If possible, I'd like to know how.alt textalt text

Tags (1)
Preview file
156 KB
Preview file
98 KB
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-09-2018 10:10 PM

Like this:

YOUR SEARCH HERE
| streamstats current=f window=10 sum(*count) AS sum_last_10_*count

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎05-09-2018 10:10 PM

Like this:

YOUR SEARCH HERE
| streamstats current=f window=10 sum(*count) AS sum_last_10_*count
0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-09-2018 10:25 PM

Actually, I think that you need a | reverse in there above the | streamstats or you will be getting the 10 after, not before.

0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎04-23-2018 09:43 PM

host=* source=* earliest=-10m latest=now (Try this in your query and let me know whether it helps) . For more reference . Go through the below link.

https://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/SearchTimeModifiers

0 Karma
Reply
Solved! Jump to solution

Shan
Builder
‎04-26-2018 10:52 PM

@mkoh - Do the above command helps you ..

0 Karma
Reply
Get Updates on the Splunk Community!

OpenTelemetry for Legacy Apps? Yes, You Can!

This article is a follow-up to my previous article posted on the OpenTelemetry Blog, "Your Critical Legacy App ...

UCC Framework: Discover Developer Toolkit for Building Technology Add-ons

The Next-Gen Toolkit for Splunk Technology Add-on Development The Universal Configuration Console (UCC) ...

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...