Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I have an stats result that has a latest(_time) in the config and want to only include items where the latest is N minutes old

leonardr
New Member
‎09-23-2015 12:08 PM

index=product_iround_prod Level=INFO Message="Form Synchronizer complete" | stats latest(_time) AS timestamp, latest(RecordsProcessed) AS RecordCount by ProfileName FormName | convert ctime(timestamp) | sort timestamp asc

how do I filter this down to where the latest is older than say 15 minutes ago ?

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcato
Contributor
‎09-23-2015 05:17 PM

Hi leonardr,

Try this

.. | eval mins_back = relative_time(now(), "-15m@m") | where timestamp >= mins_back
|  convert ctime(timestamp)  | sort timestamp asc

Note that timestamp value must still be in epoch time (matching mins_back) for the where to work. Also the where is greater than equal so maybe not exactly what you want. If you want to match a time string exactly then this can get a bit more tricky. Maybe provide some examples if you need more help.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

gcato
Contributor
‎09-23-2015 05:17 PM

Hi leonardr,

Try this

.. | eval mins_back = relative_time(now(), "-15m@m") | where timestamp >= mins_back
|  convert ctime(timestamp)  | sort timestamp asc

Note that timestamp value must still be in epoch time (matching mins_back) for the where to work. Also the where is greater than equal so maybe not exactly what you want. If you want to match a time string exactly then this can get a bit more tricky. Maybe provide some examples if you need more help.

0 Karma
Reply
Solved! Jump to solution

leonardr
New Member
‎09-24-2015 06:04 AM

Awesome thank you !

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...