Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF



The gentimes command is useful in conjunction with the map command.

Generates timestamp results starting with the exact time specified as start time. Each result describes an adjacent, non-overlapping time range as indicated by the increment value. This terminates when enough results are generated to pass the endtime value.

For example, the following search generates four intervals covering one day periods aligning with the calendar days October 1, 2, 3, and 4, during 2017.

| gentimes start=10/1/17 end=10/5/17

This command does not work for future dates.


| gentimes start=<timestamp> [end=<timestamp>] [increment=<increment>]

Required arguments

Syntax: start=<timestamp>
Description: Specify as start time.
Syntax: MM/DD/YYYY[:HH:MM:SS] | <int>
Description: Indicate the timeframe, for example: 10/1/2017 for October 1, 2017, 4/1/2017:12:34:56 for April 1, 2017 at 12:34:56, or -5 for five days ago.

Optional arguments

Syntax: end=<timestamp>
Description: Specify an end time.
Default: midnight, prior to the current time in local time
Syntax: increment=<int>(s | m | h | d)
Description: Specify a time period to increment from the start time to the end time.
Default: 1d


The gentimes command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.


Example 1:

All hourly time ranges from December 1 to December 5 in 2017.

| gentimes start=12/1/17 end=12/5/17 increment=1h

Example 2:

All daily time ranges from 30 days ago until 27 days ago.

| gentimes start=-30 end=-27

Example 3:

All daily time ranges from April 1 to April 5 in 2017.

| gentimes start=4/1/17 end=4/5/17

Example 4:

All daily time ranges from September 25 to today.

| gentimes start=9/25/17

See also

makeresults, map


Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the gentimes command.


This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.1.0


On some (all?) versions of Splunk, "increment=1w" does not work (does the same thing as "increment=1d") and that should be fixed. When that is fixed, "increment=7d" should also be fixed so that the difference between "increment=7d" and "increment=1w" should be that the former's events have "endtime" values 1 day later than "starttime" and the latter should have "endtime" values 1 week later than "startttime"; otherwise they should be the same. It seems to me that the right thing to do is always use the "s/m/h/d/w" value to determine what the span from "starttime" to "endtime" should be in every case.

April 26, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters