Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to get next 10th minute for the field time in Splunk?

Veeru
Path Finder
‎07-19-2022 03:15 AM

I am getting the output time but i want to round the  time value for next 10th minute.
the excepted output is the rounded_time.
can anyone please guide me how to write a query for this

File time rounded time
07/19/2022 12:16:48.303 07/19/2022 12:20:00.000
07/19/2022 12:11:36.660 07/19/2022 12:20:00.000
07/19/2022 09:33:48.091 07/19/2022 09:40:00.000
07/19/2022 00:30:24.749 07/19/2022 00:40:00.000
Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 05:57 AM

Sorry, you are right (I was looking at the wrong results) - try this instead

| bin span=10m fileTime as roundedTime
| eval roundedTime=roundedTime+600

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 03:25 AM 
| eval roundedTime=relative_time(fileTime,"+10m@10m")
0 Karma
Reply
Solved! Jump to solution

Veeru
Path Finder
‎07-19-2022 04:47 AM

hello @ITWhisperer 

one more thing when it is 07/19/2022 12:16:48.303 it should round to 07/19/2022 12:20:00.000
and when it is  07/19/2022  00:30:48.303 it should round to 00:40:00.000

i tried this way
|eval file_time=strptime(filetime,"%m/%d/%Y %H:%M:%S.%Q")
| eval time=relative_time(file_time,"+10m@m")
|eval fileTime=strftime(time,"%m/%d/%Y %H:%M:%S.%Q")
| table filetime file_time time fileTime

but i got
07/18/2022 22:40:32.795 ->07/18/2022 22:50:00.000
07/18/2022 22:44:37.611 -> 07/18/2022 22:54:00.000 here it should round to 07/18/2022 22:50:00.000

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 04:57 AM

Perhaps that's because you didn't do exactly as I suggested?

0 Karma
Reply
Solved! Jump to solution

Veeru
Path Finder
‎07-19-2022 05:07 AM

@ITWhisperer  I just copy the same  you gave  and change the field name that's it.
yes the field is in string format so i converted it to date format yet 10@10m  isn't working

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 05:57 AM

Sorry, you are right (I was looking at the wrong results) - try this instead

| bin span=10m fileTime as roundedTime
| eval roundedTime=roundedTime+600
0 Karma
Reply
Solved! Jump to solution

Veeru
Path Finder
‎07-19-2022 09:57 PM

@ITWhisperer 

 

Thanks for the help.it works fine

Can I know what is 600 we are taking

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 10:00 PM

There are 600 seconds in 10 minutes - the bin takes the time back to the start of the 10 minute bucket; you wanted the end of the bucket, hence the additional 600 seconds

0 Karma
Reply
Solved! Jump to solution

Veeru
Path Finder
‎07-19-2022 04:33 AM

Hello @ITWhisperer 

Veeru_0-1658230358739.png

not giving any results

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-19-2022 04:54 AM

Is filetime a string?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...