Other Usage
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Latest set to most recent increment of 5 minutes

dstuder
Communicator
‎12-21-2021 10:05 AM

I've got a report that is run on a schedule every five minutes. I would like the "latest" to be set to the most recent increment of 5 minutes. This solution used to work but no longer appears to. Does anyone have any thoughts for how to achieve this? I cannot simply rely on latest=now() because the report certainly will not always run exactly at the correct time. So, I need to be able to snap to the latest 5 minutes so that my counts do not get improperly calculated.

Edit:

Here is my base search. I'm trying to get latest to snap to the most recent five minute increment. It's not returning any results.

index=_internal source=*license_usage.log* type=Usage earliest=-0d@d ([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

However, if I do something like this is does return results. I don't want this ... I was just testing to see if the syntax was messed up or something. The above base search is what I want because it snaps latest to the most recent five minute increment of the hour.

index=_internal source=*license_usage.log* type=Usage earliest=-0d@d ([makeresults | eval latest=relative_time(now(), "-m") | fields latest])

 Why does relative_time(now(), "-m") work but (floor(now()/300))*300 doesn't?

Labels (2)
Reply
1 Solution
Solved! Jump to solution
Solution

dstuder
Communicator
‎12-21-2021 11:40 AM

After much fiddling I figured it out and its odd. The issue was the extra parenthesis around the floor. So this does not work.

([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

 But this does work. Not sure why it cares about the extra parenthesis ... but oh well.

([makeresults | eval latest=floor(now()/300)*300 | fields latest])

 

View solution in original post

Reply
Solved! Jump to solution
Solution

dstuder
Communicator
‎12-21-2021 11:40 AM

After much fiddling I figured it out and its odd. The issue was the extra parenthesis around the floor. So this does not work.

([makeresults | eval latest=(floor(now()/300))*300 | fields latest])

 But this does work. Not sure why it cares about the extra parenthesis ... but oh well.

([makeresults | eval latest=floor(now()/300)*300 | fields latest])

 

Reply
Solved! Jump to solution

Stefanie
Builder
‎12-21-2021 10:34 AM

What is your search and what is it returning instead of the most recent 5 minutes?

If youre looking to run the report using data from 5 minutes ago, you would use earliest=-5m .

0 Karma
Reply
Solved! Jump to solution

dstuder
Communicator
‎12-21-2021 11:10 AM

I'm trying to get everything today snapped to the most recent five minute increment. So, if it ran at 9:42 AM I would get everything today up to 9:40 AM.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App Dev Community Updates – What’s New and What’s Next

Welcome to your go-to roundup of everything happening in the Splunk App Dev Community! Whether you're building ...

The Latest Cisco Integrations With Splunk Platform!

Join us for an exciting tech talk where we’ll explore the latest integrations in Cisco + Splunk! We’ve ...

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...