I have data that needs to evaluated over periods that end on 5 minute boundaries
I would like to be able to snap to a search end time that ends on an even 5 minute increment like this:
search ABC earliest=-2h@h latest=[most recent 5 minute increment] | .....
So if this search were run at 13:57:33 the actual time range would be from 11:00:00 to 13:55:00
I have tried all sorts of permutations like latest=h@5m (not valid syntax) but they are not producing the desired results of ending on an even (12:55:00) time boundary.
I would appreciate thoughts on how best to accomplish this.
After a bit of poking around, This syntax works:
search ABC earliest=-2h@h [ stats count | eval latest=(floor(now()/300))*300 | fields latest ] | ...
After a bit of poking around, This syntax works:
search ABC earliest=-2h@h [ stats count | eval latest=(floor(now()/300))*300 | fields latest ] | ...
The extra parenthesis around the floor function causes it to no longer work. So it should now be ...
search ABC earliest=-2h@h [ stats count | eval latest=floor(now()/300)*300 | fields latest ] | ...
However, I think for newer Splunk this is better and looks easier to read ...
search ABC earliest=-2h@h latest=[makeresults | eval snap=floor(now()/300)*300 | return $snap] | ...
Is there any other way to achieve this in the latest versions of splunk ?
Thanks