Hi Everyone,
Need your help in order to resolve issue.
I need time frame for the base search of my dashboard as 30 minutes.
Means, If present time is 2:25, the base search should run for 2:00 to 2:25 and if present time is 2:39, the base search should run for 2:30 to 2:39.
Is above scenario possible?
Please help me out.
Thanks in Advance.
Nikks
Hi @nilaksh92,
Can you please try below sample search? I have use index=_internal as sample search. So change it as per your requirement.
index=_internal earliest=-30m latest=now | eval date_minute= strftime(_time,"%M") | eval flag=date_minute/30, ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI max(_time) as MAXI | eval MINI = strftime(MINI,"%d/%m/%Y %I:%M:%S:%p") | eval MAXI= strftime(MAXI,"%d/%m/%Y %I:%M:%S:%p")
This search will return you start time and end time.
If you want to use this 30 min rolling window for all panels then use below search block and use MyEarliest as earliest time in all panels.
<search>
<query>index=_internal | eval flag=date_minute/30 ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI</query>
<earliest>-30m</earliest>
<latest>now</latest>
<preview>
<set token="MyEarliest">$result.MINI$</set>
</preview>
</search>
I hope it will help you.
Happy Splunking
Hi @nilaksh92,
Can you please try below sample search? I have use index=_internal as sample search. So change it as per your requirement.
index=_internal earliest=-30m latest=now | eval date_minute= strftime(_time,"%M") | eval flag=date_minute/30, ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI max(_time) as MAXI | eval MINI = strftime(MINI,"%d/%m/%Y %I:%M:%S:%p") | eval MAXI= strftime(MAXI,"%d/%m/%Y %I:%M:%S:%p")
This search will return you start time and end time.
If you want to use this 30 min rolling window for all panels then use below search block and use MyEarliest as earliest time in all panels.
<search>
<query>index=_internal | eval flag=date_minute/30 ,num=if(date_minute<30,0,1) | where flag=num | stats min(_time) as MINI</query>
<earliest>-30m</earliest>
<latest>now</latest>
<preview>
<set token="MyEarliest">$result.MINI$</set>
</preview>
</search>
I hope it will help you.
Happy Splunking
Thanks Kamlesh 🙂
To get last 30 minutes, it is just
earliest=-30m latest=now
Looking at your examples you are actually describing snapping to the last multiple of 30 minutes. The below search should give you what you want
| makeresults | eval latest=_time, minutes=strftime(_time, "%M"), earliest=relative_time(_time, "@h".case(minutes==0, "-30m", minutes<=30, "", 1=1, "+30m"))
| eval latest=strftime(latest, "%Y-%m-%d %H:%M:%S"), earliest=strftime(earliest, "%Y-%m-%d %H:%M:%S")
Example usage
Your search [| makeresults | eval latest=_time, minutes=strftime(_time, "%M"), earliest=relative_time(_time, "@h".case(minutes==0, "-30m", minutes<=30, "", 1=1, "+30m")) | table latest, earliest]
Note this is a very weird use case.