I am attempting to create a macro that allows searchers to pass a specific time into a search command that will locate the top 3 matching events that are closest to that specific time, snapped to the minute. That is, if a user passes 10/02/2015:14:30:0 , and there are matching events at 14:23, 14:25, 14:31, 14:32, and 14:35, I want it to return the events at 14:25, 14:31, and 14:32.
As a preliminary step, I tried to run a basic search looking for all events within 30 minutes of the specified time, and I'm having trouble even reaching that point. I've tried using earliest=relative_time($time$, "-30m") , but am getting syntax errors that suggest to me that Splunk doesn't like to be handed specific times in the relative_time function.
Any suggestions for finding events close to a specific time (including formats that I need to use to pass specific times to the macro) would be much appreciated. Even more appreciated would be additional suggestions for locating the top events closest to that time, snapped to the minute.
... View more