Solved: How to count every 15mins with complete time bucke...

Anita · ‎01-05-2022

If I use bin _time as time span=15m | stats count by time on 17:20 for the past 1 hour, the result would be like

...

time interval count

16:45 - 17:00 1285

17:00 - 17:15 1352

17:15 - 17:20 362

So for the last time bucket which is incomplete, there will be only 5 mins data.

Is there any way to search every 15mins backward from the current time like

...

16:35 - 16:50

16:50 - 17:05

17:05 - 17:20

Really appreciate your help!

gcusello · ‎01-05-2022

you have to use the aligntime=latest in your bin command, something like this:

your_search
| bin _time as time span=15m aligntime=latest
| stats count by time

Ciao.

Giuseppe

gcusello · ‎01-05-2022

you have to use the aligntime=latest in your bin command, something like this:

your_search
| bin _time as time span=15m aligntime=latest
| stats count by time

Ciao.

Giuseppe

Anita · ‎01-05-2022

That works!

Thank you so much for your help!

gcusello · ‎01-05-2022

good for you, see next time!

Ciao and happy splunking.

Giuseppe

P.S.: Karma Points are appreciated 😉

How to count every 15mins with complete time bucket