Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to create a search to show a trending single value for the last 60 minutes of data with a trending arrow comparing the previous 60 minutes?

mattusr
Explorer
‎12-11-2015 08:22 AM

Hi,

Sorry if this has been answered before, however, I am struggling with a search that I am trying to build.

The ideal result that I am trying to achieve is the following.

I wanted to create a search that could be used as a single value element with a trending arrow. So currently I am doing the following search 

index=main machine_ip="xx.xx.xx.xx" http_status=200 | dedup user_ip | timechart span=60m count

However, this searches the last hour (if only 5 minutes into the hour the current hour will only have 5 minutes of data and therefore always be playing catch up to the previous hour).

Therefore I want to change this so it shows the continuous last 60 minutes. So if the search is run at 15.05 the single value would show 14:05 to 15:05 and the trend arrow and value with compare 13:05 to 14:05.

Please let me know if you require any further information.

Reply
1 Solution
Solved! Jump to solution
Solution

hylam
Contributor
‎12-14-2015 07:18 PM

index=_internal | timechart span=1m count | eval _time=_time-now()%3600 | timechart span=1h sum(count) as count | tail 3 | tail 2 | eval _time=_time+now()%3600

EDIT1
Dont forget to select "last 120 minutes" on the time picker

alt text

View solution in original post

Preview file
1 KB
Reply
Solved! Jump to solution
Solution

hylam
Contributor
‎12-14-2015 07:18 PM

index=_internal | timechart span=1m count | eval _time=_time-now()%3600 | timechart span=1h sum(count) as count | tail 3 | tail 2 | eval _time=_time+now()%3600

EDIT1
Dont forget to select "last 120 minutes" on the time picker

alt text

Preview file
1 KB
Reply
Solved! Jump to solution

mattusr
Explorer
‎12-15-2015 06:17 AM

Brilliant that works!! If it not too much trouble is there any chance you could provide a brief explanation of the search? Thank you!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...