Splunk® Enterprise

Search Manual

Download manual as PDF

Download topic as PDF

Specify time modifiers in your search

When searching or saving a search, you can specify absolute and relative time ranges using the following time modifiers:

earliest=<time_modifier>
latest=<time_modifier>

An absolute time range uses specific dates and times, for example, from 12 A.M. November 1, 2016 to 12 A.M. November 13, 2016.

A relative time range is dependent on when the search is run. For example, a relative time range of -60m means 60 minutes ago. If the current time is 3 P.M., the search returns events from the last 60 minutes, or 2 P.M. to 3 P.M. today.

The current time is referred to as Now.

Specify absolute time ranges

For exact time ranges, the syntax for the time modifiers is %m/%d/%Y:%H:%M:%S. For example, the following search specifies a time range from 12 A.M. October 19, 2016 to 12 A.M. October 27, 2016.

earliest=10/19/2016:0:0:0 latest=10/27/2016:0:0:0

If you specify only the earliest time modifier, latest is set to the current time Now by default. If you specify a latest time modifier, you must also specify an earliest time.

A time range that you specify in the Search bar, or in a saved search, overrides the time range that is selected in the time range picker.

This image shows the time range picker in the Search app. The default time range of "Last 24 hours" is shown in the time range picker.

Note: Time ranges specified directly in the search do not apply to subsearches. Time ranges selected from the time range picker do apply to subsearches.

Specify relative time ranges

You define the relative time in your search by using a string of characters that indicate the amount of time. The syntax is an integer and a time unit.

1. Begin your string with a minus ( - ) or a plus ( + ) to indicate the offset before or after the time amount.

2. Specify the amount of time by using a number and a time unit. When you specify single time amounts, the number is implied. For example s is the same as 1s, m is the same as 1m, and so on. The supported time units are listed in the following table.

Time range Valid values
seconds s, sec, secs, second, seconds
minutes m, min, minute, minutes
hours h, hr, hrs, hour, hours
days d, day, days
weeks w, week, weeks
months mon, month, months
quarters q, qtr, qtrs, quarter, quarters
years y, yr, yrs, year, years


When specifying relative time, use Now to refer to the current time.

Relative time modifiers that snap to a time

With relative time, you can specify a snap to time, which is an offset from the relative time. The snap to time unit rounds down to the nearest or latest time for the time amount that you specify. To do this, separate the time amount from the snap to time unit with an "@" character.

The syntax for the snap to time unit is [+|-]<time_integer><time_unit>@<time_unit>.

When snapping to the nearest or latest time, Splunk software always snaps backwards or rounds down to the latest time that is not after the specified time. For example, the current time is 15:45:00 and the snap to time is earliest=-h@h. The time modifier snaps to 14:00.

You can also define the relative time modifier using only the snap to time unit. For example, to snap to a specific day of the week, use @w0 for Sunday, @w1 for Monday, and so forth. For Sunday, you can specify either w0 or w7.

If you do not specify a snap to time unit, the search uses seconds as the snap to time unit.

The snap to option becomes very useful in a range of situations. For example, if you want to search for events in the previous month, specify earliest=-mon@mon latest=@mon. This example begins at the start of the previous month and ends at the start of the current month.

Difference between relative time and relative snap to time

On April 28th, you decide to run a search at 14:05.

  • If you specify earliest=-2d, the search goes back exactly two days, starting at 14:05 on April 26th.
  • If you specify earliest=-2d@d, the search goes back to two days and snaps to the beginning of the day. The search looks for events starting from 00:00 on April 26th.

Special time units

The following abbreviations are reserved for special cases of time units and snap time offsets.

Time Unit Description
earliest=1 If you want to search events from the start of UTC epoch time, use earliest=1. (earliest=0 in the search string indicates that time is not used in the search.)

When earliest=1 and latest=now or latest=<a large number>, the search will run over all time. The difference is that:

  • Specifying latest=now (which is the default) does not return future events.
  • Specifying latest=<a big number> returns future events, which are events that contain timestamps later than the current time, now.
latest=now Specify that the search starts or ends at the current time.
@q, @qtr, or @quarter Specify a snap to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1.
w0, w1, w2, w3, w4, w5, w6, and w7 Specify "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0. You can use either w0 or w7 for Sunday.

Examples of relative time modifiers

For these examples, the current time is Wednesday, 05 February 2017, 01:37:05 P.M. Also note that 24h is usually but not always equivalent to 1d because of Daylight Savings Time boundaries.

Time modifier Description Resulting time Equivalent modifiers
now Now, the current time Wednesday, 05 February 2017, 01:37:05 P.M. now
-60m 60 minutes ago Wednesday, 05 February 2017, 12:37:05 P.M. -60m@s
-1h@h 1 hour ago, to the hour Wednesday, 05 February 2017, 12:00:00 P.M.
-1d@d Yesterday Tuesday, 04 February 2017, 12:00:00 A.M.
-24h 24 hours ago (yesterday) Tuesday, 04 February 2017, 01:37:05 P.M. -24h@s
-7d@d 7 days ago, 1 week ago today Wednesday, 28 January 2017, 12:00:00 A.M.
-7d@m 7 days ago, snap to minute boundary Wednesday, 28 January 2017, 01:37:00 P.M.
@w0 Beginning of the current week Sunday, 02 February 2017, 12:00:00 A.M.
+1d@d Tomorrow Thursday, 06 February 2017, 12:00:00 A.M.
+24h 24 hours from now, tomorrow Thursday, 06 February 2017, 01:37:05 P.M. +24h@s

Examples of chained relative time offsets

You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions.

Time modifier Description Resulting time
@d-2h Snap to the beginning of today (12 A.M.) and subtract 2 hours from that time. 10 P.M. last night.
-mon@mon+7d One month ago, snapped to the first of the month at midnight, and add 7 days. The 8th of last month at 12 A.M.

Examples of searches with relative time modifiers

Example 1: Web access errors from the beginning of the week to the current time of your search (now).

eventtype=webaccess error earliest=@w0

This search returns matching events starting from 12:00 A.M. of the Sunday of the current week to the current time. Of course, this means that if you run this search on Monday at noon, you will only see events for 36 hours of data.


Example 2: Web access errors from the current business week (Monday to Friday).

eventtype=webaccess error earliest=@w1 latest=+7d@w6

This search returns matching events starting from 12:00 A.M. of the Monday of the current week and ending at 11:59 P.M. of the Friday of the current week.

If you run this search on Monday at noon, you will only see events for 12 hours of data. Whereas, if you run this search on Friday, you will see events from the beginning of the week to the current time on Friday. The timeline however, will display for the full business week.


Example 3: Web access errors from the last full business week.

eventtype=webaccess error earliest=-7d@w1 latest=@w6

This search returns matching events starting from 12:00 A.M. of last Monday and ending at 11:59 P.M. of last Friday.

PREVIOUS
Select time ranges to apply to your search
  NEXT
Specify time ranges for real-time searches

This documentation applies to the following versions of Splunk® Enterprise: 6.5.1612 (Splunk Cloud only), 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 7.0.0, 7.0.1


Comments

Can I do some calculation and then use it.
Ex: earliest=$token_time$-mon@mon.

I want to write inner search queries where in one query I will search data for selected month and in other query I will search data of the previous month of selected month.
If I am selecting Feb, then I will search data for Feb and Jan. Is this possible through SPL?

BansodeSantosh
June 6, 2017

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters