Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Latest set to most recent increment of 5 minutes

dstuder
Communicator
‎12-21-2021 10:05 AM

I've got a report that is run on a schedule every five minutes. I would like the "latest" to be set to the most recent increment of 5 minutes. This solution used to work but no longer appears to. Does anyone have any thoughts for how to achieve this? I cannot simply rely on latest=now() because the report certainly will not always run exactly at the correct time. So, I need to be able to snap to the latest 5 minutes so that my counts do not get improperly calculated.

Edit:

Here is my base search. I'm trying to get latest to snap to the most recent five minute increment. It's not returning any results.

index=_internal source=*license_usage.log* type=Usage earliest=-0d@d ([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

However, if I do something like this is does return results. I don't want this ... I was just testing to see if the syntax was messed up or something. The above base search is what I want because it snaps latest to the most recent five minute increment of the hour.

index=_internal source=*license_usage.log* type=Usage earliest=-0d@d ([makeresults | eval latest=relative_time(now(), "-m") | fields latest])

 Why does relative_time(now(), "-m") work but (floor(now()/300))*300 doesn't?

Labels (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dstuder
Communicator
‎12-21-2021 11:40 AM

After much fiddling I figured it out and its odd. The issue was the extra parenthesis around the floor. So this does not work.

([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

 But this does work. Not sure why it cares about the extra parenthesis ... but oh well.

([makeresults | eval latest=floor(now()/300)*300 | fields latest])

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dstuder
Communicator
‎12-21-2021 11:40 AM

After much fiddling I figured it out and its odd. The issue was the extra parenthesis around the floor. So this does not work.

([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

 But this does work. Not sure why it cares about the extra parenthesis ... but oh well.

([makeresults | eval latest=floor(now()/300)*300 | fields latest])

 

Reply
Solved! Jump to solution

Stefanie
Builder
‎12-21-2021 10:34 AM

What is your search and what is it returning instead of the most recent 5 minutes?

If youre looking to run the report using data from 5 minutes ago, you would use earliest=-5m .

0 Karma
Reply
Solved! Jump to solution

dstuder
Communicator
‎12-21-2021 11:10 AM

I'm trying to get everything today snapped to the most recent five minute increment. So, if it ran at 9:42 AM I would get everything today up to 9:40 AM.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...