Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Use time to find nearby events

The Splunk Web timeline and time ranges for search are based on event timestamps.

While searching for errors or troubleshooting an issue, looking at events that happened around the same time can help correlate results and find the root cause. This topic discusses how you can search for surrounding events using an event's timestamp and using the timeline.

Use time accelerators

The _time field represents the timestamp of an event. When you run a search to retrieve events, the timestamp for each event is listed under the Time column.

You can click the timestamp of an event and open a dialog box containing controls, called a _time accelerator. Use the _time accelerator to run a new search that retrieves events chronologically close to that event.

6.2 time accelerators.png

You can search for events that occurred before the time, after the time, or at the time of the selected event's timestamp. Some examples are: +/- 30 seconds, +/- 1 hour, +/- 5 seconds, and so on.

Use the timeline

The timeline is a histogram of the number of events returned by a Splunk search over a chosen time range. The time range is broken up into smaller time intervals (such as seconds, minutes, hours, or days), and the count of events for each interval is displayed as a column.

The location of each column on the timeline corresponds to an instance when the events that match your search occurred. If there are no columns at a time period, no events were found then. The taller the column, the more events occurred at that time.

Spikes in the number of events or no events along the timeline can indicate time periods that you want to investigate.

The timeline has drilldown functionality similar to the table and chart drilldown. When you click on a column in the timeline, your search results update to show only the events represented by the column. If you double-click on a column, you re-run the search over the time range represented by the column. Then, you can search for all surrounding events at this time range.

PREVIOUS
Specify time ranges for real-time searches
  NEXT
About subsearches

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.5.0, 6.5.1, 6.5.1612 (Splunk Cloud only), 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.6.0, 6.6.1, 6.6.2, 6.6.3


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters