How to get a 'now()' function to return the curren...

sjanwity · ‎11-05-2014

My search is a scheduled report and calls the now()function to only get entries from a specific time away, using the relative_time method. However, the search is usually executed 2-5 seconds late (I don't know why, but that's what the splunk job report says) so I think it'll miss entries which were done 1 second past the clock. So how do I get the now() function to round down so the missing records are taken in as well?

MuS · ‎11-05-2014

Hi sjanwity,

you can not only use -1min with relative_time(), you can use also things like -1min@min or -2d@d which will snap to the minute or hour.
See the docs for more information on this topic http://docs.splunk.com/Documentation/Splunk/6.1.2/Search/Specifytimemodifiersinyoursearch

cheers, MuS

sjanwity · ‎11-05-2014

hi MuS, can I do things like now()@min? That's really what I wanted.

MuS · ‎11-05-2014

more like

relative_time(now(), "@min")

How to get a 'now()' function to return the current time rounded to the nearest minute/hour?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation