How to write a search to not display the last buck...

ID_SplunkUser · ‎06-21-2016

I have a requirement in which I don't want to display the last bucket of data in the timechart.
Example: The bucket timespan is 5m. If I open my Dashboard at 11:02 am, the last bucket will contain data for only 2 minutes. I don't want to display this data in timechart.
Is there anyway to remove this last bucket data?

bandit · ‎04-09-2019

If the goal is not to show partial/incomplete buckets in you timechart, this option should work for your use case, partial=false.

| timechart partial=false

woodcock · ‎06-22-2016

Tack this onto your existing search:

... | eventstats max(_time) AS maxTime | where _time < maxTime | fields - maxTime

bandit · ‎04-09-2019

Thanks, @woodcock. Here's a variation to drop both first and last buckets.

| eventstats min(_time) as minTime max(_time) as maxTime 
| where _time > minTime AND _time < maxTime
| fields - minTime, maxTime

ID_SplunkUser · ‎06-23-2016

Thanks for replying. But it's not working & last bucket data is still shown in timechart.

woodcock · ‎06-23-2016

I tested it before I posted; it DEFINITELY works. If it is not working for you, then I will need to see your actual search which must be doing something unusual.

How to write a search to not display the last bucket of data in a timechart?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases