Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create Splunk search to check the last 15 minutes then increment by 1 minute?

Baragatti
Observer
‎02-08-2023 09:13 PM

For example:

i have been hitting the pavement trying to figure out a search query for events that happened between 3:00 and 3:15, my next search should be 3:01 to 3:16 and so on then count all the total events that occured in the 15 minutes buckets.

thank you guys in advance for any help and suggestions is greatly appreciated. 🙂

Labels (1)
Labels
Tags (1)
0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-08-2023 09:42 PM

or do you mean you want to run a say, say for 1 hour from 3 to 4 and then give a rolling 15 minute window of counts, e.g. this example searches the last hour

index=_audit
earliest=-h@h latest=@h
| bin _time span=1m
| stats count by _time
| streamstats time_window=15m sum(count) as total

this will make a count of every minute (bin+stats)

and then use streamstats to count the rolling 15 minute window

Note the first 15 rows will just be the count of the previous X minutes upto the 15th minute then it will roll for a 15 minute window

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-08-2023 09:37 PM

Do you mean you want to write a saved search that runs at 3:15 that looks for data in the last 15 minutes, then again it runs at 3:16 and so on?

Just set the time range for

earliest=-15m@m latest=@m

which will search from the start of the 15th minute ago to the start of the current minute.

0 Karma
Reply

Baragatti
Observer
‎02-08-2023 09:54 PM

Thank you for your response.

No , not a saved search. the 3:00 to 3:15 is just an example

I just want to check for example the last hour and break it in 15 minutes.

lets say I started my search at 4:00 i want to see the last 60 minutes broken by minutes and every 15 minutes  are grouped in a bucket.

So, for the last hour will look like this 3:00 to 3:15 in bucket 1, The next group of 15 minutes should be 3:01 to 3:16 in Bucket 2 and the next one should be 3:02 to 3:17 bucket 3 and so on.

 

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎02-09-2023 04:31 PM

So the streamstats example will do that

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...