Thanks for responses. It might be down to my beginner level Splunk skills but I'm not seeing any results being returned with the search idea. I'm also not sure but would the Timewrap command be flexible enough to capture the 20 minute window of data every hour? I had a play around with it and had no joy. It might be useful to show the search that is working for me at the moment: index="firewall_std"" src="10.19*.*.*" earliest=-2h@m-20m latest=-2h@m | dedup src | stats min(_time) as _time count as Count | eval Hour="-02" | fields Hour, _time, Count | append [search index="firewall_std" src="10.19*.*.*" earliest=-1h@m-20m latest=-1h@m | dedup src | stats min(_time) as _time count as Count | eval Hour="-01" | fields Hour, _time, Count ] | append [search index="firewall_std" src="10.19*.*.*" earliest=-20m@m latest=@m latest=-20m | dedup src | stats min(_time) as _time count as Count | eval Hour="00" | fields Hour, _time, Count ] Unfortunately this isn't scalable or flexible as I have to append a new search for each hour of data gathered. Is it possible to amend this so that I can run a new search at any time without the clunkiness of having to append new searches within the main search?
... View more