Hi ,
I want to snap to 10 minutes.
I know how to snap to an hour for example:
... | eval _time=relative_time(_time,"@h")
However, this doesn't work for 10 minutes time. Is there any other way to do it?
Thanks
You're probably looking for the bin/bucket command :
It "bins" values into discrete sets (or buckets)
This should do it.
... | bin _time span=10m | ...
John
Making time snap to the next 10th minute
| makeresults
| eval now = now()
| eval now_snapped_to_next_10th_min = relative_time(now(),
[| makeresults
| eval now = now()
| convert ctime(now)
| rex field=now "\d(?<min>\d)\:(?:\d{2})$"
| eval min = 10 - min
| eval min = if(min == 10, 0, min)
| eval adder = "\"+" . tostring(min) . "m@m\""
| return $adder])
| convert ctime(now*) timeformat="%F %X"
This might be what you are looking for:
http://answers.splunk.com/answers/99161/snap-to-5-minute-increments-in-timerange
You're probably looking for the bin/bucket command :
It "bins" values into discrete sets (or buckets)
This should do it.
... | bin _time span=10m | ...
John