Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How can I get time span buckets to be relative to now?

pmdba
Builder
‎01-08-2015 08:56 AM

I have a query like the following that I am using to trend the number of users active in an application during a given time period. I am trying to fill a single-value item in a dashboard, with trend. 

index=test sourcetype=activity_log earliest=-30m latest=now | timechart span=15m distinct_count(username) as count | sort -_time

The problem is that if I run the search at say 11:35, I get results for the 15 minute segments 11:00-11:15, 11:15-11:30, and 11:30-11:45. The trend compares the most recent two blocks, but since the last block isn't complete (it's only 11:35 and my range is from 11:30-11:45), the trend analysis is off.

How can I get the span to bucket the results so that they are relative to now? i.e if I run my search at 11:35, how can I get my results to be in buckets from 11:05-11:20 and 11:20-11:35 so that I have two equal sized buckets for trend comparison?

Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-08-2015 11:10 AM

You can't do bucket times relative to now() AFAIK, although there might be some clever way.

But you can tell timechart to eliminate partial buckets: 

index=test sourcetype=activity_log earliest=-30m latest=now 
| timechart partial=f span=15m distinct_count(username) as count

View solution in original post

Reply
Solved! Jump to solution

HayesM24
Engager
‎08-05-2016 06:30 AM

Hi,I had a situation to your issue and found a way to resolve what I needed.

I wanted to flag the amount of errors that occured in the past week within certain categories that exceeded 100. I wanted to compare this weeks number to last weeks number. The number is chosen based off of a time range picker used by the product owner at the top.

index="your_search" |eval early=$timerange.latest$-604800| eval late=$timerange.latest$ |where _time > early AND _time< late| | stats SUM(SQLERR_CNT) as Total by PGM_NM SSID _time | where Total > 100 |stats count AS 1Week | appendcols [search index="your_search" |eval early=$timerange.latest$-604800*2| eval late=$timerange.latest$ |where _time > early AND _time< late| | stats SUM(SQLERR_CNT) as Total by PGM_NM SSID _time | where Total > 100 |stats count AS 2Week]

by creating an early time used the time range token and subtracting the epoch time of the bucket. 604800 is the epoch time for 1 week. Then I appended a second search where I made the earliest time two weeks ago. and the latest time one week ago.

As far as putting this trend into a single value visualization. I have found the difference between the two numbers. and then displayed that number as a single value. Green if errors went down, red if they went up drastically! I am still working on how to best visually display my info.

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎01-08-2015 11:10 AM

You can't do bucket times relative to now() AFAIK, although there might be some clever way.

But you can tell timechart to eliminate partial buckets: 

index=test sourcetype=activity_log earliest=-30m latest=now 
| timechart partial=f span=15m distinct_count(username) as count
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...