Splunk Search

How to set time frame for base search as 30 minute interval?

nilaksh92
Path Finder

Hi Everyone,

Need your help in order to resolve issue.

I need time frame for the base search of my dashboard as 30 minutes.

Means, If present time is 2:25, the base search should run for 2:00 to 2:25 and if present time is 2:39, the base search should run for 2:30 to 2:39.

Is above scenario possible?

Please help me out.

Thanks in Advance.
Nikks

Tags (2)
0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @nilaksh92,

Can you please try below sample search? I have use index=_internal as sample search. So change it as per your requirement.

index=_internal earliest=-30m latest=now | eval date_minute= strftime(_time,"%M") | eval flag=date_minute/30, ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI max(_time) as MAXI | eval MINI =  strftime(MINI,"%d/%m/%Y %I:%M:%S:%p") | eval MAXI= strftime(MAXI,"%d/%m/%Y %I:%M:%S:%p")

This search will return you start time and end time.

If you want to use this 30 min rolling window for all panels then use below search block and use MyEarliest as earliest time in all panels.

<search>
    <query>index=_internal | eval flag=date_minute/30  ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI</query>
    <earliest>-30m</earliest>
    <latest>now</latest>
    <preview>
      <set token="MyEarliest">$result.MINI$</set>
    </preview>
  </search>

I hope it will help you.

Happy Splunking

View solution in original post

kamlesh_vaghela
SplunkTrust
SplunkTrust

Hi @nilaksh92,

Can you please try below sample search? I have use index=_internal as sample search. So change it as per your requirement.

index=_internal earliest=-30m latest=now | eval date_minute= strftime(_time,"%M") | eval flag=date_minute/30, ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI max(_time) as MAXI | eval MINI =  strftime(MINI,"%d/%m/%Y %I:%M:%S:%p") | eval MAXI= strftime(MAXI,"%d/%m/%Y %I:%M:%S:%p")

This search will return you start time and end time.

If you want to use this 30 min rolling window for all panels then use below search block and use MyEarliest as earliest time in all panels.

<search>
    <query>index=_internal | eval flag=date_minute/30  ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI</query>
    <earliest>-30m</earliest>
    <latest>now</latest>
    <preview>
      <set token="MyEarliest">$result.MINI$</set>
    </preview>
  </search>

I hope it will help you.

Happy Splunking

nilaksh92
Path Finder

Thanks Kamlesh 🙂

0 Karma

peterchenadded
Path Finder

To get last 30 minutes, it is just

earliest=-30m latest=now

Looking at your examples you are actually describing snapping to the last multiple of 30 minutes. The below search should give you what you want

| makeresults | eval latest=_time, minutes=strftime(_time, "%M"), earliest=relative_time(_time, "@h".case(minutes==0, "-30m", minutes<=30, "", 1=1, "+30m"))
| eval latest=strftime(latest, "%Y-%m-%d %H:%M:%S"), earliest=strftime(earliest, "%Y-%m-%d %H:%M:%S")

Example usage

Your search [| makeresults | eval latest=_time, minutes=strftime(_time, "%M"), earliest=relative_time(_time, "@h".case(minutes==0, "-30m", minutes<=30, "", 1=1, "+30m")) | table latest, earliest]

Note this is a very weird use case.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...