Returns a list of time ranges in which the search results were found.
localize [<maxpause>] [<timeafter>] <timebefore>
- Syntax: timebefore=<int>(s|m|h|d)
- Description: Specify the amount of time to subtract from starttime (expand the time region backwards in time). Defaults to 30s.
- Syntax: maxpause=<int>(s|m|h|d)
- Description: Specify the maximum (inclusive) time between two consecutive events in a contiguous time region. Defaults to 1m.
- Syntax: timeafter=<int>(s|m|h|d)
- Description: Specify the amount of time to add to endtime (expand the time region forward in time). Defaults to 30s.
Generates a list of time contiguous event regions defined as: a period of time in which consecutive events are separated by at most 'maxpause' time. The found regions can be expanded using the 'timeafter' and 'timebefore' modifiers to expand the range after/before the last/first event in the region respectively. The Regions are return in time descending order, just as search results (time of region is start time). The regions discovered by localize are meant to be feed into the map command, which will use a different region for each iteration. Localize also reports: (a) number of events in the range, (b) range duration in seconds and (c) region density defined as (#of events in range) divided by (range duration) - events per second.
Example 1: Search the time range of each previous result for "failure".
... | localize maxpause=5m | map search="search failure starttimeu=$starttime$ endtimeu=$endtime$"
Example 2: As an example, searching for "error" and then calling localize finds good regions around where error occurs, and passes each on to the search inside of the map command, so that each iteration works with a specific timerange to find promising transactions
error | localize | map search="search starttimeu::$starttime$ endtimeu::$endtime$ |transaction uid,qid maxspan=1h"
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the localize command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 6.0 , 6.0.1 , 6.0.2