I am getting the output time but i want to round the time value for next 10th minute.
the excepted output is the rounded_time.
can anyone please guide me how to write a query for this
File time | rounded time |
07/19/2022 12:16:48.303 | 07/19/2022 12:20:00.000 |
07/19/2022 12:11:36.660 | 07/19/2022 12:20:00.000 |
07/19/2022 09:33:48.091 | 07/19/2022 09:40:00.000 |
07/19/2022 00:30:24.749 | 07/19/2022 00:40:00.000 |
Sorry, you are right (I was looking at the wrong results) - try this instead
| bin span=10m fileTime as roundedTime
| eval roundedTime=roundedTime+600
| eval roundedTime=relative_time(fileTime,"+10m@10m")
hello @ITWhisperer
one more thing when it is 07/19/2022 12:16:48.303 it should round to 07/19/2022 12:20:00.000
and when it is 07/19/2022 00:30:48.303 it should round to 00:40:00.000
i tried this way
|eval file_time=strptime(filetime,"%m/%d/%Y %H:%M:%S.%Q")
| eval time=relative_time(file_time,"+10m@m")
|eval fileTime=strftime(time,"%m/%d/%Y %H:%M:%S.%Q")
| table filetime file_time time fileTime
but i got
07/18/2022 22:40:32.795 ->07/18/2022 22:50:00.000
07/18/2022 22:44:37.611 -> 07/18/2022 22:54:00.000 here it should round to 07/18/2022 22:50:00.000
Perhaps that's because you didn't do exactly as I suggested?
@ITWhisperer I just copy the same you gave and change the field name that's it.
yes the field is in string format so i converted it to date format yet 10@10m isn't working
Sorry, you are right (I was looking at the wrong results) - try this instead
| bin span=10m fileTime as roundedTime
| eval roundedTime=roundedTime+600
There are 600 seconds in 10 minutes - the bin takes the time back to the start of the 10 minute bucket; you wanted the end of the bucket, hence the additional 600 seconds
Is filetime a string?