Splunk Search

How to count every 15mins with complete time bucket

Anita
Engager

If I use bin _time as time span=15m | stats count by time on 17:20 for the past 1 hour, the result would be like

...

time interval      count

16:45 - 17:00    1285

17:00 - 17:15    1352

17:15 - 17:20    362

So for the last time bucket which is incomplete, there will be only 5 mins data.

Is there any way to search every 15mins backward from the current time like 

...

16:35 - 16:50

16:50 - 17:05

17:05 - 17:20

Really appreciate your help!

 

 

Labels (2)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi @Anita,

you have to use the aligntime=latest in your bin command, something like this:

your_search
| bin _time as time span=15m aligntime=latest
| stats count by time 

as you can see at https://docs.splunk.com/Documentation/SplunkCloud/8.2.2111/SearchReference/Bin

Ciao.

Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @Anita,

you have to use the aligntime=latest in your bin command, something like this:

your_search
| bin _time as time span=15m aligntime=latest
| stats count by time 

as you can see at https://docs.splunk.com/Documentation/SplunkCloud/8.2.2111/SearchReference/Bin

Ciao.

Giuseppe

0 Karma

Anita
Engager

That works! 

Thank you so much for your help!

0 Karma

gcusello
SplunkTrust
SplunkTrust

HI @Anita,

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated :winking_face:

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...