You could win up to $50,000 building Splunk apps in the Splunk>Apptitude contest. Learn more »
You can either add to earliest or subtract from latest:
Second half of previous hour...
First half of previous hour...
You should be able to do that:
Syntax for relative time modifiers
You can define the relative time in your search with a string of characters that indicate time amount (integer and unit) and, optionally, a "snap to" time unit: [+|-]@. Also, when specifying relative time, you can use now to refer to the current time.
1. Begin your string with a plus (+) or minus (-) to indicate the offset of the time amount. 2. Define your time amount with a number and a unit; the supported time units are: second: s, sec, secs, second, seconds minute: m, min, minute, minutes hour: h, hr, hrs, hour, hours day: d, day, days week: w, week, weeks month: mon, month, months quarter: q, qtr, qtrs, quarter, quarters year: y, yr, yrs, year, years When specifying single time amounts, the number one is implied; 's' is the same as '1s', 'm' is the same as '1m', etc. Note: The abbreviations w0, w1, w2, w3, w4, w5 and w6 are reserved for specifying "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0. Note: When you specify @q, @qtr, or @quarter, it snaps to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1. 3. If you want, specify a "snap to" time unit; this indicates the nearest or latest time to which your time amount rounds down. A relative time modifier is also allowed to contain only a "snap to" time unit. If you don't specify a "snap to" time unit, Splunk snaps automatically to the second. Separate the time amount from the "snap to" time unit with an "@" character. You can use any of time units listed in Step 2. Additionally, you can "snap to" a specific day of the week, such as last Sunday or last Monday. To do this, use @w0 for Sunday, @w1 for Monday, etc. Important: When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00. Important: If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.
This approach might be what you are looking for: