Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to display only the result corresponding to the current time?

jip31
Motivator
‎04-27-2022 09:28 AM

hello

From the search below, I need to display only the result corresponding to the current time

It means that if it's 17h15, i need to display only the count value corresponding to 17h15 in my search

 

 

`tutu` sourcetype="session"  
| bin _time span=15m 
| stats dc(s) as count by _time

 

 

 The time format is 2022-04-27 17:15:00

could you help please?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

smurf
Communicator
‎04-28-2022 09:47 AM

Hi,

You have to take current time and deduct 15 minutes from it, after that you can compare _time from the event with your variable.


`tutu` sourcetype="session" 
| bin _time span=15m 
| stats dc(s) as count by _time 
| eval current_time = relative_time(now(), "-15m") 
| where _time >= current_time

View solution in original post

0 Karma
Reply
Solved! Jump to solution

PickleRick
SplunkTrust
SplunkTrust
‎04-28-2022 11:21 AM

Honestly, I don't understand the point of this exercise.

It's best to filter the data as early as possible so you should rather limit the input data with earliest/latest or timepicker. There's no point of calculating stats over other periods if you're gonna discard those results immediately.

Unless you have some need that I don't understand.

0 Karma
Reply
Solved! Jump to solution
Solution

smurf
Communicator
‎04-28-2022 09:47 AM

Hi,

You have to take current time and deduct 15 minutes from it, after that you can compare _time from the event with your variable.


`tutu` sourcetype="session" 
| bin _time span=15m 
| stats dc(s) as count by _time 
| eval current_time = relative_time(now(), "-15m") 
| where _time >= current_time
0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...