I want to run a query with rolling time span (rolling every minute) and want to count events in last 1 hour relative to current minute.
I am trying to run this query:
Search query | bin _time span=(now(), "-1h") | stats range(_time) AS Range, latest(_time) AS Latest count BY A, B, C, date_hour
but of course span does not accept -ve values.
Example:
10:04 - xxxxx
10:06 - xxxxx
10:09 - xxxxx
10:16 - xxxxx
11:07 - xxxxx
11:14 - xxxxx
so if my current time is 11:08 and if i say count events for last 1 hour from now. so it should count in time range 10:08 - 11:08 so that the count value is 3. if i simply use bin _time span=1h, it would return count value as 4 for the 10th hour and 2 for 11th hour.
so basically i want my time span to be rolling each minute and then get a count for last 60 mins (1hr) exact.
↧
