Returns a list of time ranges in which the search results are found.
Generates result representing a list of time contiguous event regions. This is defined as a period of time in which consecutive events are separated by, at most, 'maxpause' time. The regions found can be expanded using the 'timeafter' and 'timebefore' modifiers to expand the range after/before the last/first event in the region, respectively. These expansions are done arbitrarily, possibly causing overlaps in the regions if the values are larger than 'maxpause'. The regions are returned in search order, or descending time for historical searches and data-arrival order for realtime search. The time of each region is the initial pre-expanded start-time. The regions discovered by the
localize command are meant to be fed into the map command, which will use a different region for each iteration. The
Localize command also reports: (a) number of events in the range, (b) range duration in seconds and (c) region density defined as (#of events in range) divided by (range duration) - events per second.
localize [<maxpause>] [<timeafter>] [<timebefore>]
- Syntax: maxpause=<int>(s|m|h|d)
- Description: Specify the maximum (inclusive) time between two consecutive events in a contiguous time region.
- Default: 1m
- Syntax: timeafter=<int>(s|m|h|d)
- Description: Specify the amount of time to add to the output endtime field (expand the time region forward in time).
- Default: 30s
- Syntax: timebefore=<int>(s|m|h|d)
- Description: Specify the amount of time to subtract from the output starttime field (expand the time region backwards in time).
- Default: 30s
Search the time range of each previous result for "failure".
... | localize maxpause=5m | map search="search failure starttimeu=$starttime$ endtimeu=$endtime$"
As an example, searching for "error" and then calling the
localize command finds suitable regions around where error occurs and passes each on to the search inside of the
map command. Each iteration works with a specific timerange to find potential transactions
error | localize | map search="search starttimeu::$starttime$ endtimeu::$endtime$ |transaction uid,qid maxspan=1h"
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the localize command.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 , 4.3.3 , 4.3.4 , 4.3.5 , 4.3.6 , 4.3.7 , 5.0 , 5.0.1 , 5.0.2 , 5.0.3 , 5.0.4 , 5.0.5 , 5.0.6 , 5.0.7 , 5.0.8 , 5.0.9 , 5.0.10 , 5.0.11 , 5.0.12 , 5.0.13 , 6.0 , 6.0.1 , 6.0.2 , 6.0.3 , 6.0.4 , 6.0.5 , 6.0.6 , 6.0.7 , 6.0.8 , 6.0.9 , 6.1 , 6.1.1 , 6.1.2 , 6.1.3 , 6.1.4 , 6.1.5 , 6.1.6 , 6.1.7 , 6.1.8 , 6.2.0 , 6.2.1 , 6.2.2 , 6.2.3