Splunk® Enterprise

Search Reference

Download manual as PDF

localize

Description

Returns a list of time ranges in which the search results are found.

Generates result representing a list of time contiguous event regions. This is defined as a period of time in which consecutive events are separated by, at most, 'maxpause' time. The regions found can be expanded using the 'timeafter' and 'timebefore' modifiers to expand the range after/before the last/first event in the region, respectively. These expansions are done arbitrarily, possibly causing overlaps in the regions if the values are larger than 'maxpause'. The regions are returned in search order, or descending time for historical searches and data-arrival order for realtime search. The time of each region is the initial pre-expanded start-time. The regions discovered by the localize command are meant to be fed into the map command, which will use a different region for each iteration. The Localize command also reports: (a) number of events in the range, (b) range duration in seconds and (c) region density defined as (#of events in range) divided by (range duration) - events per second.

Syntax

localize [<maxpause>] [<timeafter>] [<timebefore>]

Optional arguments

maxpause
Syntax: maxpause=<int>(s|m|h|d)
Description: Specify the maximum (inclusive) time between two consecutive events in a contiguous time region.
Default: 1m
timeafter
Syntax: timeafter=<int>(s|m|h|d)
Description: Specify the amount of time to add to the output endtime field (expand the time region forward in time).
Default: 30s
timebefore
Syntax: timebefore=<int>(s|m|h|d)
Description: Specify the amount of time to subtract from the output starttime field (expand the time region backwards in time).
Default: 30s

Usage

Descending time order required

The transaction command requires that the incoming events be in descending time order. Some commands, such as eval, do not output search results in time order. If one of these commands precedes the transaction command, your search returns an error.

To ensure that the search results are in descending order, you must include the sort command immediately before the transaction command in your search.

Examples

1. Search the time range of each previous result for the term "failure"

... | localize maxpause=5m | map search="search failure starttimeu=$starttime$ endtimeu=$endtime$"

2: Finds suitable regions around where "error" occurs

Searching for "error" and calling the localize command finds suitable regions around where error occurs and passes each on to the search inside of the map command. Each iteration works with a specific time range to find potential transactions.

error | localize | map search="search starttimeu::$starttime$ endtimeu::$endtime$ | transaction uid,qid maxspan=1h"

See also

map, transaction

Answers

Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the localize command.

PREVIOUS
loadjob
  NEXT
localop

This documentation applies to the following versions of Splunk® Enterprise: 4.1, 4.1.1, 4.1.2, 4.1.3, 4.1.4, 4.1.5, 4.1.6, 4.1.7, 4.1.8, 4.2, 4.2.1, 4.2.2, 4.2.3, 4.2.4, 4.2.5, 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.3.0, 6.3.1, 6.3.1511, 6.3.2, 6.3.3, 6.3.4, 6.4.0 View the Article History for its revisions.


Was this documentation topic helpful?

If you'd like to hear back from us, please provide your email address:

We'd love to hear what you think about this topic or the documentation as a whole
Feedback you enter here will be delivered to the documentation team

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters