×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
lavanya413
New Member
Member since: ‎10-11-2017
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎10-11-2017
View All

Re: Using bucket span of 1 minute, the logs will b...

by in Splunk Search
‎10-11-2017 12:12 PM
‎10-11-2017 12:12 PM
Basically, if you want your minute spans to start at x=25 seconds after the minute, use something like this... | eval _time = _time -25 | bucket _time span=1m | eval _time = _time +25 Now that you understand, here's the efficient way, since it's streaming distributable. | eval _time = 25+60*floor( (_time-25)/60) ... and if you want the low end to start exactly at the low end of your search time, then use addinfo and calculate it this way | addinfo | eval mysecond = floor(info_min_time) - 60*floor(info_min_time/60) | eval _time = mysecond+60*floor( (_time-mysecond)/60) ...or possibly... | addinfo | eval _time = floor(info_min_time) + 60*floor((_time - info_min_time)/60) Those two will give fractionally different results, but the second one should be slightly quicker, I would think. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:03 AM