how to snap to time unit of 5 minutes

taozi021 · ‎09-27-2010

for example: if the current time 5:23:20 PM, how can i get the time 4:55:00 PM. and if the current time 5:26:12 PM, how can i get time 5:20:00 PM, and so on

i know splunk provide one minute time uint. for example -5m@m. if there is 5 minute time unit, or some alternative way to get same result?

charleswheelus · ‎08-14-2013

I think this approach might work for you:

http://answers.splunk.com/answers/99161/snap-to-5-minute-increments-in-timerange

gkanapathy · ‎09-27-2010

I don't think there is an straightforward way. However, you can express it first by finding out how many seconds are in your "snap-to" unit. For something like earliest=-15m@5m latest=-10m@5m, you can do

sourcetype=mysourcetype [ stats count | eval earliest=5*60*(floor(now()-(15*60)/(5*60))) | eval latest=5*60*(floor(now()-(10*60)/(5*60))) | fields earliest latest ]

gkanapathy · ‎09-27-2010

I'm pretty sure he wants to snap the time range of a search to the nearest 5m rather than the nearest 1m or 1d or 1h unit.

Genti · ‎09-27-2010

if i have understood you correctly you want to set the timeframe for a search. If so you can use the info found here.
This here is for absolute timeframe.
Note, you can even use epoch time if needed.

Hope this helped.
.gz

Lowell · ‎09-27-2010

Your examples don't seem to be consistent. Also, what's the context you are trying to do this in? Are you trying to set the timeframe for a search, or are you talking about date manipulation using fields with a search?

how to snap to time unit of 5 minutes

Index This | Why do they call it hyper text?

State of Splunk Careers 2023: Career Resilience and the Continued Value of Splunk

The Great Resilience Quest: 9th Leaderboard Update