Time modifiers

Time modifiers

Use time modifiers to adjust the time range of a search, specify a time to start or stop a search, or change the timestamp format of search results.

daysago

Search events within the last N days.

Syntax

daysago=integer

Arguments

integer

Integer number of days.

enddaysago

Set an end time (in days) that is = now - number specified.

Syntax

enddaysago=integer

Arguments

integer

Integer number of days.

endhoursago

Set an end time (in hours) that is = now - number specified.

Syntax

endhoursago=integer

Arguments

integer

Integer number of hours.

endminutesago

Set an end time (in minutes) that is = now - number specified.

Syntax

endminutesago=integer

Arguments

integer

Integer number of minutes.

endmonthsago

Set an end time (in months) that is = now - number specified.

Syntax

endmonthsago=integer

Arguments

integer

Integer number of months.

endtime

Search for events before the specified time (exclusive of the specified time).

Use timeformat to set the time format to use. For example: if timeformat=%m/%d/%Y:%H:%M:%S, then endtime=09/07/1978:09:00:00, and all results are before that time.

Syntax

endtime=string

Arguments

string

Specified time in the time stamp format specified by timeformat.

hoursago

Search events within the last N hours.

Syntax

hoursago=integer

Arguments

integer

Integer number of hours.

minutesago

Search events within the last N minutes.

Syntax

minutesago=integer

Arguments

integer

Integer number of minutes.

monthsago

Search events within the last N months.

Syntax

monthsago=integer

Arguments

integer

Integer number of months.

searchtimespandays

Search within a specified range of days (expressed as an integer).

Syntax

searchtimespandays=integer

Arguments

integer

Integer number of days.

searchtimespanhours

Search within a specified range of hours (expressed as an integer).

Syntax

searchtimespanhours=integer

Arguments

integer

Integer number of hours.

searchtimespanminutes

Search within a specified range of minutes (expressed as an integer).

Syntax

searchtimespanminutes=integer

Arguments

integer

Integer number of minutes.

searchtimespanmonths

Search within a specified range of months (expressed as an integer).

Syntax

searchtimespanmonths=integer

Arguments

integer

Integer number of months.

startdaysago

Search the specified number of days ago from the present time (expressed as an integer).

Syntax

startdaysago=integer

Arguments

integer

Integer number of days.

starthoursago

Search the specified number of hours ago from the present time (expressed as an integer).

Syntax

starthoursago=integer

Arguments

integer

Integer number of hours.

startminutesago

Search the specified number of minutes ago from the present time (expressed as an integer).

Syntax

startminutesago=integer

Arguments

integer

Integer number of minutes.

startmonthsago

Search the specified number of months ago from the present time (expressed as an integer).

Syntax

startmonthsago=integer

Arguments

integer

Integer number of months.

starttime

Search from the specified date and time to the present (inclusive of the specified time).

Syntax

starttime=timestamp

Arguments

timestamp

Time (in timestamp format ie: %m/%d/%Y:%H:%M:%S) to set your search to start on.

starttimeeu

Search from the specified date and time to the present expressed in European date/time format.

Syntax

starttimeeu=timestamp

Arguments

timestamp

Time (in european timestamp format ie: %d/%m/%Y:%H:%M:%S) to set your search to start on.

timeformat

Set time format for the starttime and endtime modifiers.

Note: Splunk searches have the default time format of: %m/%d/%Y:%H:%M:%S.

Syntax

timeformat=string

Arguments

string =

%m/%d/%Y:%H:%M:%S (default = %m/%d/%Y:%H:%M:%S).

• Was this topic useful?
• Post a comment