Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How do I round the time to up/down to the nearest ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
I'm fairly new to Splunk and I need to round my time field up/down to the nearest hour.
For example...
If now returns 09:26:52 I want it to be rounded to 09:00:00, if the time is 14:36:18 then 15:00:00.
I have searched and can't find or understand how to do this. Is there someone help me with how?
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@darls15 , if now is your field you can try the following to round off hours time. However some case()may need to be added/changed as per your use case.
<yourCurrentSearch>
| rex field=now "(?<Hour>[^:]+):(?<Minute>[^:]+):(?<Seconds>\d+)"
| eval rounded_hour=case(Seconds>30 AND Minute>29,Hour+1,
Minute>30,Hour+1,
true(),Hour).":00".":00"
Following is run anywhere example you can use to test:
| makeresults
| eval now="14:36:18"
| rex field=now "(?<Hour>[^:]+):(?<Minute>[^:]+):(?<Seconds>\d+)"
| eval rounded_hour=case(Seconds>30 AND Minute>29,Hour+1,
Minute>30,Hour+1,
true(),Hour).":00".":00"
Above computes 09:29:31 as 09:00:00,
09:30:00 as 09:00:00,
09:30:30 as 09:00:00
but 09:30:31 as 10:00:00.
09:31:00 as 10:00:00,
and 09:31:31 as 10:00:00
So in case your expectations are different. Please change as per your needs.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@darls15 , if now is your field you can try the following to round off hours time. However some case()may need to be added/changed as per your use case.
<yourCurrentSearch>
| rex field=now "(?<Hour>[^:]+):(?<Minute>[^:]+):(?<Seconds>\d+)"
| eval rounded_hour=case(Seconds>30 AND Minute>29,Hour+1,
Minute>30,Hour+1,
true(),Hour).":00".":00"
Following is run anywhere example you can use to test:
| makeresults
| eval now="14:36:18"
| rex field=now "(?<Hour>[^:]+):(?<Minute>[^:]+):(?<Seconds>\d+)"
| eval rounded_hour=case(Seconds>30 AND Minute>29,Hour+1,
Minute>30,Hour+1,
true(),Hour).":00".":00"
Above computes 09:29:31 as 09:00:00,
09:30:00 as 09:00:00,
09:30:30 as 09:00:00
but 09:30:31 as 10:00:00.
09:31:00 as 10:00:00,
and 09:31:31 as 10:00:00
So in case your expectations are different. Please change as per your needs.
| makeresults | eval message= "Happy Splunking!!!"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @niketn,
I'm fairly new to Splunk but what if I need to round my time field up/down to the nearest 5th minute.
For example...
My time field returns 02/24/2022 09:26:52 I want it to be rounded to 02/24/2022 09:25:00, and if the time is 02/24/2022 14:58:10 then 02/24/2022 15:00:00.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much niketnilay ... works perfectly!
Leveraging Automated Threat Analysis Across the Splunk Ecosystem
Can’t Make It to Boston? Stream .conf25 and Learn with Haya Husain
Splunk Lantern’s Guide to The Most Popular .conf25 Sessions
