Time modifiers for search
Time modifiers for search
You can use time modifiers to customize the time range of a search by specifying a time to start or stop, or change the format of the timestamps in the search results.
For 4.x, we recommend using the "earliest" and/or "latest" attributes to specify custom time ranges. For example, earliest=-60m for "60 minutes ago". For more information about customizing your search window, see "Change the time range to narrow your search" in the Search and Investigate chapter of the User manual.
Important: These search time modifiers are still valid, BUT may be removed and their function no longer supported in a future release.
List of time modifiers
| Modifier | Syntax | Description |
|---|---|---|
daysago
| daysago=<int> | Search events within the last integer number of days. |
enddaysago
| enddaysago=<int> | Set an end time for an integer number of days before now. |
endhoursago
| endhoursago=<int> | Set an end time for an integer number of hours before now. |
endminutesago
| endminutesago=<int> | Set an end time for an integer number of minutes before now. |
endmonthsago
| endmonthsago=<int> | Set an end time for an integer number of months before now. |
endtime
| endtime=<string> | Search for events before the specified time (exclusive of the specified time). Use timeformat to specify how the timestamp is formatted. |
endtimeu
| endtimeu=<int> | Search for events before the specific epoch time (Unix time). . |
hoursago
| hoursago=<int> | Search events within the last integer number of hours. |
minutesago
| minutesago=<int> | Search events within the last integer number of minutes. |
monthsago
| monthsago=<int> | Search events within the last integer number of months. |
searchtimespandays
| searchtimespandays=<int> | Search within a specified range of days (expressed as an integer). |
searchtimespanhours
| searchtimespanhours=<int> | Search within a specified range of hours (expressed as an integer). |
searchtimespanminutes
| searchtimespanminutes=<int> | Search within a specified range of minutes (expressed as an integer). |
searchtimespanmonths
| searchtimespanmonths=<int> | Search within a specified range of months (expressed as an integer). |
startdaysago
| startdaysago=<int> | Search the specified number of days before the present time. |
starthoursago
| starthoursago=<int> | Search the specified number of hours before the present time. |
startminutesago
| startminutesago=<int> | Search the specified number of minutes before the present time. |
startmonthsago
| startmonthsago=<int> | Search the specified number of months before the present time. |
starttime
| starttime=<timestamp> | Search from the specified date and time to the present (inclusive of the specified time). |
starttimeu
| starttimeu=<int> | Search from the specific epoch (Unix time). |
timeformat
| timeformat=<string> | Set the timeformat for the starttime and endtime modifiers. By default: timeformat=%m/%d/%Y:%H:%M:%S
|
How to specify relative time modifiers
You can define the relative time in your search with a string of characters that indicate time amount (integer and unit) and, optionally, a "snap to" time unit: [+|-]<time_integer><time_unit>@<time_unit>. Also, when specifying relative time, you can use now to refer to the current time.
1. Begin your string with a plus (+) or minus (-) to indicate the offset of the time amount.
2. Define your time amount with a number and a unit; the supported time units are:
- second: s, sec, secs, second, seconds
- minute: m, min, minute, minutes
- hour: h, hr, hrs, hour, hours
- day: d, day, days
- week: w, week, weeks
- month: mon, month, months
- quarter: q, qtr, qtrs, quarter, quarters
- year: y, yr, yrs, year, years
When specifying single time amounts, the number one is implied; 's' is the same as '1s', 'm' is the same as '1m', etc.
Note: The abbreviations w0, w1, w2, w3, w4, w5 and w6 are reserved for specifying "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0.
Note: When you specify @q, @qtr, or @quarter, it snaps to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1.
3. If you want, specify a "snap to" time unit; this indicates the nearest or latest time to which your time amount rounds down. A relative time modifier is also allowed to contain only a "snap to" time unit.
If you don't specify a "snap to" time unit, Splunk snaps automatically to the second.
Separate the time amount from the "snap to" time unit with an "@" character. You can use any of time units listed in Step 2. Additionally, you can "snap to" a specific day of the week, such as last Sunday or last Monday. To do this, use @w0 for Sunday, @w1 for Monday, etc.
Important: When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.
Important: If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 View the Article History for its revisions.
Comments
kindlund: thank you. it was a mispelling. fixed!
Is there any difference at all between difference between "minutesago=10" and "startminutesago=10"? The article doesn't explain.
thanks! fixed.
"startimeeu" in the first column is misspelled, I think.
Mileserickson: There is a slight difference. The days/hours/minutes/monthsago modifiers specify the time range up to the present time of the search , rounding the end time to the last second, so that the time is an integer. The start*ago modifiers also specify the time range to the present time of the search, but it does not round to the second. I hope this helps!