Re: How can I delete search data result incoming w...

tkdguq0110 · ‎04-29-2020

Hi.
When I search a '_time' field, there are two result values like '2020/04/30 18:00' and '2020/04/30 18:03'
I just want to delete the result values within 5 minutes.
for example,
_time
2020/04/30 18:00
2020/04/30 18:06

Above is ok but, following result search I do not want.

_time
2020/04/30 18:00
2020/04/30 18:03

Is it possible to delete data value in '_time' field within 5 minutes?
My goal is

_time
2020/04/30 18:00
2020/04/30 18:03 **(delete automatically in search)**

I would appreciate it if you give me some tips.
Thanks.

shivanshu1593 · ‎05-05-2020

Try with this:

| timechart span=5m values(src_ip) as src_ip

This will literally paste the value of the src_ip after every 5th minute.

Thank you,
Shiv
###If you found the answer helpful, kindly consider upvoting/accepting it as the answer as it helps other Splunkers find the solutions to similar issues###

tauliang · ‎05-03-2020

If I understand your requirement correctly, you would like to filter out some of the events in the result, so that events only show up every five minutes in the result set.

This is easy to do as only a filter is needed to look at the minute component of the event time stamps.

index = _internal
| eval curMin = strftime(_time,"%M") 
| eval eventtext =  "my event " + curMin
| table _time, eventtext, curMin
| search curMin=*0 OR curMin=*5

The second line in the search parse the minute of the timestamp in the event, and the last line has a filter to only return the events that occurred during the time when the minute is divisible by 5. Of course you can tailor the filter (e.g., adding more restrictions on the second portion of the time stamp as well) to however you see fit.

OR, do you want the neighboring events in the result to be at least 5 minutes apart?

tkdguq0110 · ‎05-04-2020

Thanks for your helping.
My goal is not to see search result set incoming within 5 minutes comparing previous _time.

for instance, there are two fields and values in search result set.
src_ip _time
2.2.2.2 10:00

and new search result set data added, like
src_ip _time
2.2.2.2 10:00
2.2.2.2 10:03

comparing previous _time(10:00) and new added _time(10:03)
and new added _time(10:03) is just incoming within 5 minutes just comparing previous _time(10:00)
so, I do not want to see new added _time(10:03) in search result set.

but, if search result set is below
src_ip _time
2.2.2.2 10:00
2.2.2.2 10:06

new added _time(10:06) is just incoming after 5 minutes comparing previous _time(10:00)
I want to see this search result set.

Thanks

adonio · ‎05-05-2020

what is the anticipated result in this scenario:
2.2.2.2 10:00
2.2.2.2 10:06
2.2.2.2 10:09
2.2.2.2 10:10
2.2.2.2 10:11
2.2.2.2 10:15
2.2.2.2 10:16
2.2.2.2 10:22

adonio · ‎04-29-2020

what do you mean by "delete"?
have you tried using the |bin command?
examples:
... | bin _time span=5s
... | bin _time span=5m

tkdguq0110 · ‎04-29-2020

I mean, if there is a '_time' field data incomming within 5 minutes, I do not want to see that result(I thought this was delete).
I used 'bin' command before but that was just to combine time using '_time' field..

adonio · ‎04-30-2020

so ... so you want only a round time results? meaning seconds 0,5,10, ... 55 ?
or minutes as described?
what if you have let say, 4 events:
10:00
10:06
10:09
10:11

what will be the desired result there?

tkdguq0110 · ‎05-03-2020

I do not want to see time results incoming within 5 minutes.
for example, if search result is below
_time
10:00
10:01
10:02
10:03
10:04
10:05

I do not want to see the result 10:01 to 10:04
I only want to see search result below
_time
10:00
10:05

Is it possible?
Thanks

How can I delete search data result incoming within 5 minutes?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...