Solved: How to display only the result corresponding to th...

jip31 · ‎04-27-2022

hello

From the search below, I need to display only the result corresponding to the current time

It means that if it's 17h15, i need to display only the count value corresponding to 17h15 in my search

`tutu` sourcetype="session"  
| bin _time span=15m 
| stats dc(s) as count by _time

The time format is 2022-04-27 17:15:00

could you help please?

smurf · ‎04-28-2022

Hi,

You have to take current time and deduct 15 minutes from it, after that you can compare _time from the event with your variable.


`tutu` sourcetype="session" 
| bin _time span=15m 
| stats dc(s) as count by _time 
| eval current_time = relative_time(now(), "-15m") 
| where _time >= current_time

View solution in original post

PickleRick · ‎04-28-2022

Honestly, I don't understand the point of this exercise.

It's best to filter the data as early as possible so you should rather limit the input data with earliest/latest or timepicker. There's no point of calculating stats over other periods if you're gonna discard those results immediately.

Unless you have some need that I don't understand.

smurf · ‎04-28-2022

Hi,

You have to take current time and deduct 15 minutes from it, after that you can compare _time from the event with your variable.


`tutu` sourcetype="session" 
| bin _time span=15m 
| stats dc(s) as count by _time 
| eval current_time = relative_time(now(), "-15m") 
| where _time >= current_time

How to display only the result corresponding to the current time?

other

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!