Splunk Search

How to set time frame for base search as 30 minute interval?

Path Finder

Hi Everyone,

Need your help in order to resolve issue.

I need time frame for the base search of my dashboard as 30 minutes.

Means, If present time is 2:25, the base search should run for 2:00 to 2:25 and if present time is 2:39, the base search should run for 2:30 to 2:39.

Is above scenario possible?

Please help me out.

Thanks in Advance.
Nikks

Tags (2)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

Hi @nilaksh92,

Can you please try below sample search? I have use index=_internal as sample search. So change it as per your requirement.

index=_internal earliest=-30m latest=now | eval date_minute= strftime(_time,"%M") | eval flag=date_minute/30, ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI max(_time) as MAXI | eval MINI =  strftime(MINI,"%d/%m/%Y %I:%M:%S:%p") | eval MAXI= strftime(MAXI,"%d/%m/%Y %I:%M:%S:%p")

This search will return you start time and end time.

If you want to use this 30 min rolling window for all panels then use below search block and use MyEarliest as earliest time in all panels.

<search>
    <query>index=_internal | eval flag=date_minute/30  ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI</query>
    <earliest>-30m</earliest>
    <latest>now</latest>
    <preview>
      <set token="MyEarliest">$result.MINI$</set>
    </preview>
  </search>

I hope it will help you.

Happy Splunking

View solution in original post

SplunkTrust
SplunkTrust

Hi @nilaksh92,

Can you please try below sample search? I have use index=_internal as sample search. So change it as per your requirement.

index=_internal earliest=-30m latest=now | eval date_minute= strftime(_time,"%M") | eval flag=date_minute/30, ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI max(_time) as MAXI | eval MINI =  strftime(MINI,"%d/%m/%Y %I:%M:%S:%p") | eval MAXI= strftime(MAXI,"%d/%m/%Y %I:%M:%S:%p")

This search will return you start time and end time.

If you want to use this 30 min rolling window for all panels then use below search block and use MyEarliest as earliest time in all panels.

<search>
    <query>index=_internal | eval flag=date_minute/30  ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI</query>
    <earliest>-30m</earliest>
    <latest>now</latest>
    <preview>
      <set token="MyEarliest">$result.MINI$</set>
    </preview>
  </search>

I hope it will help you.

Happy Splunking

View solution in original post

Path Finder

Thanks Kamlesh 🙂

0 Karma

Path Finder

To get last 30 minutes, it is just

earliest=-30m latest=now

Looking at your examples you are actually describing snapping to the last multiple of 30 minutes. The below search should give you what you want

| makeresults | eval latest=time, minutes=strftime(time, "%M"), earliest=relativetime(time, "@h".case(minutes==0, "-30m", minutes<=30, "", 1=1, "+30m"))
| eval latest=strftime(latest, "%Y-%m-%d %H:%M:%S"), earliest=strftime(earliest, "%Y-%m-%d %H:%M:%S")

Example usage

Your search [| makeresults | eval latest=time, minutes=strftime(time, "%M"), earliest=relativetime(time, "@h".case(minutes==0, "-30m", minutes<=30, "", 1=1, "+30m")) | table latest, earliest]

Note this is a very weird use case.

0 Karma