Time modifiers for search
Time modifiers for search
You can use time modifiers to customize the time range of a search by specifying a time to start or stop, or change the format of the timestamps in the search results.
List of time modifiers
We recommend using the earliest and/or latest modifiers to specify custom and relative time ranges. Also, when specifying relative time, you can use now to refer to the current time.
| Modifier | Syntax | Description |
|---|---|---|
| earliest | earliest=[+|-]<time_integer><time_unit>@<time_unit>
| Specify the earliest time for the time range of your search. |
| latest | latest=[+|-]<time_integer><time_unit>@<time_unit>
| Specify the latest time for the time range of your search. |
| now | now
| Refers to the current time. |
For more information about customizing your search window, see "Change the time range to narrow your search" in the User manual.
How to specify relative time modifiers
You can define the relative time in your search with a string of characters that indicate time amount (integer and unit) and, optionally, a "snap to" time unit: [+|-]<time_integer><time_unit>@<time_unit>.
1. Begin your string with a plus (+) or minus (-) to indicate the offset from the current time.
2. Define your time amount with a number and a unit; the supported time units are:
- second: s, sec, secs, second, seconds
- minute: m, min, minute, minutes
- hour: h, hr, hrs, hour, hours
- day: d, day, days
- week: w, week, weeks
- days of the week: w0 (Sunday), w1, w2, w3, w4, w5 and w6 (Saturday)
- month: mon, month, months
- quarter: q, qtr, qtrs, quarter, quarters
- year: y, yr, yrs, year, years
For example, to start your search an hour ago, use either
earliest=-h
or,
earliest=-60m
When specifying single time amounts, the number one is implied; 's' is the same as '1s', 'm' is the same as '1m', 'h' is the same as '1h', etc.
3. If you want, specify a "snap to" time unit; this indicates the nearest or latest time to which your time amount rounds down. Separate the time amount from the "snap to" time unit with an "@" character.
- You can use any of time units listed in Step 2. For example, @w, @week, and @w0 for Sunday; @month for the beginning of the month; and @q, @qtr, or @quarter for the beginning of the most recent quarter (Jan 1, Apr 1, Jul 1, or Oct 1).
- You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions. For example,
@d-2hsnaps to the beginning of today (12AM) and subtract 2 hours from that time. - When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.
- If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use
@w6to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.
Example 1: To search events from the beginning of the current week:
earliest=@w0
Example 2: To search events from the last full business week:
earliest=-7d@w1 latest=@w6
More time modifiers
These search time modifiers are still valid, BUT may be removed and their function no longer supported in a future release.
| Modifier | Syntax | Description |
|---|---|---|
| daysago | daysago=<int>
| Search events within the last integer number of days. |
| enddaysago | enddaysago=<int>
| Set an end time for an integer number of days before now. |
| endhoursago | endhoursago=<int>
| Set an end time for an integer number of hours before now. |
| endminutesago | endminutesago=<int>
| Set an end time for an integer number of minutes before now. |
| endmonthsago | endmonthsago=<int
| Set an end time for an integer number of months before now. |
| endtime | endtime=<string>
| Search for events before the specified time (exclusive of the specified time). Use timeformat to specify how the timestamp is formatted. |
| endtimeu | endtimeu=<int>
| Search for events before the specific epoch time (Unix time). . |
| hoursago | hoursago=<int>
| Search events within the last integer number of hours. |
| minutesago | minutesago=<int>
| Search events within the last integer number of minutes. |
| monthsago | monthsago=<int>
| Search events within the last integer number of months. |
| <searchtimespandays | searchtimespandays=<int>
| Search within a specified range of days (expressed as an integer). |
| searchtimespanhours | searchtimespanhours=<int>
| Search within a specified range of hours (expressed as an integer). |
| searchtimespanminutes | searchtimespanminutes=<int>
| Search within a specified range of minutes (expressed as an integer). |
| searchtimespanmonths | searchtimespanmonths=<int>
| Search within a specified range of months (expressed as an integer). |
| startdaysago | startdaysago=<int>
| Search the specified number of days before the present time. |
| starthoursago | starthoursago=<int>
| Search the specified number of hours before the present time. |
| startminutesago | startminutesago=<int>
| Search the specified number of minutes before the present time. |
| startmonthsago | startmonthsago=<int>
| Search the specified number of months before the present time. |
| starttime | starttime=<timestamp>
| Search from the specified date and time to the present (inclusive of the specified time). |
| starttimeu | starttimeu=<int>
| Search from the specific epoch (Unix time). |
| timeformat | timeformat=<string>
| Set the timeformat for the starttime and endtime modifiers. By default: timeformat=%m/%d/%Y:%H:%M:%S
|
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 , 4.2 , 4.2.1 , 4.2.2 , 4.2.3 , 4.2.4 , 4.2.5 , 4.3 , 4.3.1 , 4.3.2 View the Article History for its revisions.
Comments
kindlund: thank you. it was a mispelling. fixed!
Is there any difference at all between difference between "minutesago=10" and "startminutesago=10"? The article doesn't explain.
thanks! fixed.
"startimeeu" in the first column is misspelled, I think.
Mileserickson: There is a slight difference. The days/hours/minutes/monthsago modifiers specify the time range up to the present time of the search , rounding the end time to the last second, so that the time is an integer. The start*ago modifiers also specify the time range to the present time of the search, but it does not round to the second. I hope this helps!