Refine your search:

I fairly often schedule my searches

earliest=-1h@h latest=@h

so that I know that whatever time it actually ends up getting run, it will always cover exactly the 60 minutes of the previous hour.

Is it possible to do the same thing for every half hour

asked 24 May '11, 12:12

mslvrstn's gravatar image

mslvrstn
353214
accept rate: 45%


3 Answers:

You can either add to earliest or subtract from latest:

Second half of previous hour...

earliest=-1h@h+30m latest=@h

First half of previous hour...

earliest=-1h@h latest=@h-30m
link

answered 24 May '11, 12:20

bwooden's gravatar image

bwooden ♦
3.8k1413
accept rate: 39%

edited 24 May '11, 12:25

While that definitely taught me something about the snap-to (I didn't know you could do math on the right-handside (and I don't see anything in the docs that imply that you can)), it doesn't really get me what I was looking for, which was to snap to the previous half-hour. With the math, I can schedule either the first or last half hour of the previous hour, but I really just want the previous half hour.

(24 May '11, 13:36) mslvrstn

Run the job as two schedules, one targetting the first half hour targetted to run on the 30 minute boundary, the other to target the second half hour running on the hour boundary.

(15 Aug '13, 04:22) grijhwani

You should be able to do that:

http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch

Syntax for relative time modifiers

You can define the relative time in your search with a string of characters that indicate time amount (integer and unit) and, optionally, a "snap to" time unit: [+|-]<time_integer><time_unit>@<time_unit>. Also, when specifying relative time, you can use now to refer to the current time.

1. Begin your string with a plus (+) or minus (-) to indicate the offset of the time amount.

2. Define your time amount with a number and a unit; the supported time units are:

    second: s, sec, secs, second, seconds
    minute: m, min, minute, minutes
    hour: h, hr, hrs, hour, hours
    day: d, day, days
    week: w, week, weeks
    month: mon, month, months
    quarter: q, qtr, qtrs, quarter, quarters
    year: y, yr, yrs, year, years

When specifying single time amounts, the number one is implied; 's' is the same as '1s', 'm' is the same as '1m', etc.

Note: The abbreviations w0, w1, w2, w3, w4, w5 and w6 are reserved for specifying "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0.

Note: When you specify @q, @qtr, or @quarter, it snaps to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1.

3. If you want, specify a "snap to" time unit; this indicates the nearest or latest time to which your time amount rounds down. A relative time modifier is also allowed to contain only a "snap to" time unit.

If you don't specify a "snap to" time unit, Splunk snaps automatically to the second.

Separate the time amount from the "snap to" time unit with an "@" character. You can use any of time units listed in Step 2. Additionally, you can "snap to" a specific day of the week, such as last Sunday or last Monday. To do this, use @w0 for Sunday, @w1 for Monday, etc.

Important: When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.

Important: If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.
link

answered 24 May '11, 12:20

jbsplunk's gravatar image

jbsplunk ♦
13.3k71139
accept rate: 49%

link

answered 14 Aug '13, 16:39

charleswheelus's gravatar image

charleswheelus
114118
accept rate: 40%

Post your answer
toggle preview

Follow this question

Log In to enable email subscriptions

RSS:

Answers

Answers + Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×105

Asked: 24 May '11, 12:12

Seen: 1,605 times

Last updated: 15 Aug '13, 04:22

Copyright © 2005-2014 Splunk Inc. All rights reserved.