Snap to half hour?

Question

I fairly often schedule my searches

earliest=-1h@h latest=@h

so that I know that whatever time it actually ends up getting run, it will always cover exactly the 60 minutes of the previous hour.

Is it possible to do the same thing for every half hour

Answer 1

5

You can either add to earliest or subtract from latest:

Second half of previous hour...

earliest=-1h@h+30m latest=@h

First half of previous hour...

earliest=-1h@h latest=@h-30m

link

answered 24 May '11, 12:20

bwooden ♦
2.9k●1●3●10
accept rate: 37%

edited 24 May '11, 12:25

While that definitely taught me something about the snap-to (I didn't know you could do math on the right-handside (and I don't see anything in the docs that imply that you can)), it doesn't really get me what I was looking for, which was to snap to the previous half-hour. With the math, I can schedule either the first or last half hour of the previous hour, but I really just want the previous half hour.

(24 May '11, 13:36) mslvrstn

Answer 2

You should be able to do that:

http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch

Syntax for relative time modifiers

You can define the relative time in your search with a string of characters that indicate time amount (integer and unit) and, optionally, a "snap to" time unit: [+|-]<time_integer><time_unit>@<time_unit>. Also, when specifying relative time, you can use now to refer to the current time.

1. Begin your string with a plus (+) or minus (-) to indicate the offset of the time amount.

2. Define your time amount with a number and a unit; the supported time units are:

    second: s, sec, secs, second, seconds
    minute: m, min, minute, minutes
    hour: h, hr, hrs, hour, hours
    day: d, day, days
    week: w, week, weeks
    month: mon, month, months
    quarter: q, qtr, qtrs, quarter, quarters
    year: y, yr, yrs, year, years

When specifying single time amounts, the number one is implied; 's' is the same as '1s', 'm' is the same as '1m', etc.

Note: The abbreviations w0, w1, w2, w3, w4, w5 and w6 are reserved for specifying "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0.

Note: When you specify @q, @qtr, or @quarter, it snaps to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1.

3. If you want, specify a "snap to" time unit; this indicates the nearest or latest time to which your time amount rounds down. A relative time modifier is also allowed to contain only a "snap to" time unit.

If you don't specify a "snap to" time unit, Splunk snaps automatically to the second.

Separate the time amount from the "snap to" time unit with an "@" character. You can use any of time units listed in Step 2. Additionally, you can "snap to" a specific day of the week, such as last Sunday or last Monday. To do this, use @w0 for Sunday, @w1 for Monday, etc.

Important: When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.

Important: If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.

Snap to half hour?

Follow this question

Splunk Resources

Related questions