Change the time range to narrow your search
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Change the time range to narrow your search
With more flexible time range options, you can build more useful reports to compare historical data. For example, you may want to see how your system performs today, compared to yesterday and the day before. Also, you may only be interested in analyzing data during relevant time periods, such as Web traffic during business hours.
This topic discusses how to apply absolute and relative time ranges to your search using:
- the time range menu.
- search attributes earliest and latest.
Select time ranges to apply to your search
The time range menu includes options for specifying exact times in your search: Specific date, All dates after, All dates before, and Date range. When you select one of these options, a calendar module opens and you can type in a specific date and time or select it from the calendar.
For example, if you were interested in only events that occurred during the second business quarter, April through June, you might select the date range:
The time range menu indicates the date range that you selected. Notice also that the flash timeline only shows the selected date range:
Specify absolute time ranges in your search
When searching or saving a search, you can specify time ranges using the following attributes:
earliest=<time_modifier> latest=<time_modifier>
For exact time ranges, the syntax of time_modifier is: %m/%d/%Y:%H:%M:%S. For example, to specify a time range from 12AM October 19, 2009 to 12AM October 27, 2009:
earliest=10/19/2009:0:0:0 latest=10/27/2009:0:0:0If you specify only the "earliest" attribute, "latest" is set to the current time (now) by default. In general, you won't specify "latest" without an "earliest" time.
Important: When you specify a time range in your search or saved search, it overrides the time range that is selected in the dropdown menu. However, the time range specified directly in the search string will not apply to subsearches (but the dropdown selected range will apply).
Specify relative time ranges in your search
You can also use the earliest and latest attributes to specify relative time ranges in your search.
Syntax for relative time modifiers
You can define the relative time in your search with a string of characters that indicate time amount and, optionally, a "snap to" time unit. A relative time modifier is also allowed to contain only a "snap to" time unit. Finally, a special value of "now" is allowed to refer to the current time.
1. Begin your string with a plus (+) or minus (-) to indicate the offset of the time amount.
2. Define your time amount with a number and a unit; the supported time units are:
- s, sec, secs, second, seconds
- m, min, minute, minutes
- h, hr, hrs, hour, hours
- d, day, days
- mon, month, months
- y, yr, yrs, year, years
When specifying single time amounts, the number one is implied; 's' is the same as '1s', 'm' is the same as '1m', etc.
There is no abbreviation for weeks; w is not a quantity (although 7d is perfectly valid). However, w0, w1, w2, w3, w4, w5 and w6 are reserved for specifying "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc.
3. If you want, specify a "snap to" time unit; this indicates the nearest or latest time to which your time amount rounds down. If you don't specify a "snap to" time unit, Splunk snaps automatically to the second.
Separate the time amount from the "snap to" time unit with an "@" character. You can use any of time units listed in Step 2. Additionally, you can "snap to" a specific day of the week, such as last Sunday or last Monday. To do this, use @w0 for Sunday, @w1 for Monday, etc.
Important: When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.
Important: If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.
Examples of relative time modifiers
For these examples, the current time is Wednesday, 05 February 2009, 01:37:05 PM. Also note that 24h is usually but not always equivalent to 1d because of Daylight Savings Time boundaries.
| Time modifier | Description | Resulting time | Equivalent modifiers |
|---|---|---|---|
| now | Now, the current time | Wednesday, 05 February 2009, 01:37:05 PM | +0, −0 |
| −60m | 60 minutes ago | Wednesday, 05 February 2009, 12:37:00 PM | −60m@s |
| −1h@h | 1 hour ago, to the hour | Wednesday, 05 February 2009, 12:00:00 PM | |
| −1d@d | Yesterday | Tuesday, 04 February 2009, 12:00:00 AM | |
| −24h | 24 hours ago (yesterday) | Tuesday, 04 February 2009, 01:37:05 PM | −24h@s |
| −7d@d | 7 days ago, 1 week ago today | Wednesday, 28 January 2009, 12:00:00 AM | |
| −7d@m | 7 days ago, snap to minute boundary | Wednesday, 28 January 2009, 01:37:00 PM | |
| @w0 | Beginning of the current week | Sunday, 02 February 2009, 12:00:00 AM | |
| +1d@d | Tomorrow | Thursday, 06 February 2009, 12:00:00 AM | |
| +24h | 24 hours from now, tomorrow | Thursday, 06 February 2009, 01:37:05 PM | +24h@s |
Examples of searches with relative time modifiers
Example 1: Web access errors from the beginning of the week to the current time of your search (now).
eventtype=webaccess error earliest=@w0This search returns matching events starting from 12:00 AM of the Sunday of the current week to the current time. Of course, this means that if you run this search on Monday at noon, you will only see events for 36 hours of data.
Example 2: Web access errors from the current business week (Monday to Friday).
eventtype=webaccess error earliest=@w1 latest=+7d@w6This search returns matching events starting from 12:00 AM of the Monday of the current week and ending at 11:59 PM of the Friday of the current week.
If you run this search on Monday at noon, you will only see events for 12 hours of data. Whereas, if you run this search on Friday, you will see events from the beginning of the week to the current time on Friday. The timeline however, will display for the full business week.
Example 3: Web access errors from the last full business week.
eventtype=webaccess error earliest=-7d@w1 latest=@w6This search returns matching events starting from 12:00 AM of last Monday and ending at 11:59 PM of last Friday.
Customize the time ranges you can select
Splunk now ships with more built-in time ranges. Splunk administrators can also customize the set of time ranges that you view and select from the drop down menu when you search. For more information about configuring these new time ranges, see the times.conf reference in the Admin Manual.
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.