Documentation > Splunk > Search Reference > Time modifiers for search

Search Reference

 


Welcome
Search Overview
Search Commands
Custom Search Commands

Time modifiers for search

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.

Contents

Time modifiers for search

You can use time modifiers to customize the time range of a search by specifying a time to start or stop, or change the format of the timestamps in the search results.

For 4.x, we recommend using the "earliest" and/or "latest" attributes to specify custom time ranges. For example, earliest=-60m for "60 minutes ago". For more information about customizing your search window, see "Change the time range to narrow your search" in the Search and Investigate chapter of the User manual.

Important: These search time modifiers are still valid, BUT may be removed and their function no longer supported in a future release.

List of time modifiers

Modifier Syntax Description
daysago daysago=<int> Search events within the last integer number of days.
enddaysago enddaysago=<int> Set an end time for an integer number of days before now.
endhoursago endhoursago=<int> Set an end time for an integer number of hours before now.
endminutesago endminutesago=<int> Set an end time for an integer number of minutes before now.
endmonthsago endmonthsago=<int> Set an end time for an integer number of months before now.
endtime endtime=<string> Search for events before the specified time (exclusive of the specified time). Use timeformat to specify how the timestamp is formatted.
hoursago hoursago=<int> Search events within the last integer number of hours.
minutesago minutesago=<int> Search events within the last integer number of minutes.
monthsago monthsago=<int> Search events within the last integer number of months.
searchtimespandays searchtimespandays=<int> Search within a specified range of days (expressed as an integer).
searchtimespanhours searchtimespanhours=<int> Search within a specified range of hours (expressed as an integer).
searchtimespanminutes searchtimespanminutes=<int> Search within a specified range of minutes (expressed as an integer).
searchtimespanmonths searchtimespanmonths=<int> Search within a specified range of months (expressed as an integer).
startdaysago startdaysago=<int> Search the specified number of days before the present time (expressed as an integer).
starthoursago starthoursago=<int> Search the specified number of hours before the present time (expressed as an integer).
startminutesago startminutesago=<int> Search the specified number of minutes before the present time (expressed as an integer).
startmonthsago startmonthsago=<int> Search the specified number of months before the present time (expressed as an integer).
starttime starttime=<timestamp> Search from the specified date and time to the present (inclusive of the specified time).
startimeeu starttimeeu=<timestamp> Search from the specified date and time to the present (expressed in European datetime format).
timeformat timeformat=<string> Set the timeformat for the starttime and endtime modifiers. By default: timeformat=%m/%d/%Y:%H:%M:%S
Retrieved from "http://docs.splunk.com/Documentation/Splunk/4.0.1/SearchReference/SearchTimeModifiers"

This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.


You must be logged into splunk.com in order to post comments. Log in now.

Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole. Feedback you enter here will be delivered to the documentation team.

Feedback submitted, thanks!