Hi Splunkers, I have gotten help on this type of problem and it has been very useful. However, I still stuck, but almost there, need some guidance. Scenario: Ingestion_Time_Logged which is the field I created should occur twice within 30 min, at min 7th and then min 37th. If event occurs at 6:00 Ingestion_Time_Logged should be 6:07 and if event occurs at 6:30 Ingestion_Time_Logged should be 6:37. The min should always land on the next exact 7th min or the next exact 37th. min. This is what I have, there is an issue when min is before the 7th min and when min is shy from the 37 th min. I am open to any suggestions, perhaps I need a new approach here. (index=foo Type="black") OR (index="boo")
| eval CreationTime=case(Type="creation", loggedEventTime)
| eval CreationTime_epoch=strptime(CreationTime, "%Y-%m-%d %H:%M:%S.%6N")
| eval latestCreated_hour=tonumber(strftime(CreationTime_epoch, "%H"))
| eval latestCreated_min=tonumber(strftime(CreationTime_epoch, "%M"))
| eval latestCreated_sec=round(CreationTime_epoch%60,6)
| eval Ingestion_Time_Logged=strftime(case(latestCreated_hour=23 OR latestCreated_min>07,CreationTime_epoch-CreationTime_epoch_epoch%1800+2220+latestCreated_sec,CreationTime_epoch=0,CreationTime_epoch+420,1=1,CreationTime_epoch),"%Y-%m-%d %H:%M:%S.%6N")
... View more