Splunk Search

How to get next 10th minute for the field time in Splunk?

Veeru
Path Finder

I am getting the output time but i want to round the  time value for next 10th minute.
the excepted output is the rounded_time.
can anyone please guide me how to write a query for this

File time rounded time
07/19/2022 12:16:48.303 07/19/2022 12:20:00.000
07/19/2022 12:11:36.660 07/19/2022 12:20:00.000
07/19/2022 09:33:48.091 07/19/2022 09:40:00.000
07/19/2022 00:30:24.749 07/19/2022 00:40:00.000
Labels (2)
Tags (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, you are right (I was looking at the wrong results) - try this instead

| bin span=10m fileTime as roundedTime
| eval roundedTime=roundedTime+600

View solution in original post

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust
| eval roundedTime=relative_time(fileTime,"+10m@10m")
0 Karma

Veeru
Path Finder

hello @ITWhisperer 

one more thing when it is 07/19/2022 12:16:48.303 it should round to 07/19/2022 12:20:00.000
and when it is  07/19/2022  00:30:48.303 it should round to 00:40:00.000

i tried this way
|eval file_time=strptime(filetime,"%m/%d/%Y %H:%M:%S.%Q")
| eval time=relative_time(file_time,"+10m@m")
|eval fileTime=strftime(time,"%m/%d/%Y %H:%M:%S.%Q")
| table filetime file_time time fileTime

but i got
07/18/2022 22:40:32.795 ->07/18/2022 22:50:00.000
07/18/2022 22:44:37.611 -> 07/18/2022 22:54:00.000 here it should round to 07/18/2022 22:50:00.000

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Perhaps that's because you didn't do exactly as I suggested?

0 Karma

Veeru
Path Finder

@ITWhisperer  I just copy the same  you gave  and change the field name that's it.
yes the field is in string format so i converted it to date format yet 10@10m  isn't working

Tags (1)
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Sorry, you are right (I was looking at the wrong results) - try this instead

| bin span=10m fileTime as roundedTime
| eval roundedTime=roundedTime+600
0 Karma

Veeru
Path Finder

@ITWhisperer 

 

Thanks for the help.it works fine

Can I know what is 600 we are taking

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

There are 600 seconds in 10 minutes - the bin takes the time back to the start of the 10 minute bucket; you wanted the end of the bucket, hence the additional 600 seconds

0 Karma

Veeru
Path Finder

Hello @ITWhisperer 

Veeru_0-1658230358739.png

not giving any results

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Is filetime a string?

0 Karma
Get Updates on the Splunk Community!

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...

Observability Highlights | January 2023 Newsletter

 January 2023New Product Releases Splunk Network Explorer for Infrastructure MonitoringSplunk unveils Network ...