Splunk Search

How to not let "Span" overwrite earliest time value

Path Finder

Lets say it is 2/6/17 at 2:18am and I have the following query...

... earliest=-1d@m | bin _time span =10m ...

I would like the timestamps to start at 2/5/17 02:18:00. However they start at 2/5/17 02:10:00. How do I keep my desired bin sizes without overwriting the earliest time value?

0 Karma

SplunkTrust
SplunkTrust

If you want time bucketed on something other than the even increments, then you have to cheat a bit. Basically, you have to calculate an offset time, bin THAT, and then add back the offset. The following code assumes the data is non-sparse enough that there will be at least one event in the first 10 minute increment.

| addinfo
| eval MyBinField = _time - info_min_time
| bin MyBinField span=10m
| MyBinField = MyBinField+info_min_time

Sometimes when doing time binning, there is value in tossing in a fake start and end point before invoking the bin command.

| addinfo
| eval MyBinField = _time - info_min_time
| append [|makeresults | eval MyBinField=0 | eval FakeFlag="DeleteMe"]
| bin MyBinField span=10m
| where FakeFlag!="DeleteMe"
| MyBinField = MyBinField+info_min_time
0 Karma

SplunkTrust
SplunkTrust

The bucketing of events using span is independent of the earliest/latest value of the time range. My understanding is that buckets is starts based on the timestamp of 0 (01 Jan 1970 00:00:00) and counted from there, not based on the earliest date. If you want your bucket to start from specific time, not default bucket time, then you may be able to achieve that by manipulating _time field before and after the timechart. Could you share your full query to check if the workaround is feasible?

0 Karma