Time modifiers for search
Time modifiers for search
You can use time modifiers to customize the time range of a search by specifying a time to start or stop, or change the format of the timestamps in the search results.
List of time modifiers
We recommend using the earliest and/or latest modifiers to specify custom and relative time ranges. Also, when specifying relative time, you can use now to refer to the current time.
| Modifier | Syntax | Description |
|---|---|---|
| earliest | earliest=[+|-]<time_integer><time_unit>@<time_unit>
| Specify the earliest time for the time range of your search. |
| latest | latest=[+|-]<time_integer><time_unit>@<time_unit>
| Specify the latest time for the time range of your search. |
| now | now()
| Refers to the current time. If set to earliest, now() is the start of the search. |
| time | time()
| In real-time searches, time() is the current machine time. |
For more information about customizing your search window, see "Specify real-time time range windows in your search" in the Search manual.
How to specify relative time modifiers
You can define the relative time in your search with a string of characters that indicate time amount (integer and unit) and, optionally, a "snap to" time unit: [+|-]<time_integer><time_unit>@<time_unit>.
1. Begin your string with a plus (+) or minus (-) to indicate the offset from the current time.
2. Define your time amount with a number and a unit; the supported time units are:
- second: s, sec, secs, second, seconds
- minute: m, min, minute, minutes
- hour: h, hr, hrs, hour, hours
- day: d, day, days
- week: w, week, weeks
- month: mon, month, months
- quarter: q, qtr, qtrs, quarter, quarters
- year: y, yr, yrs, year, years
Note: For Sunday, you can specify w0 and w7.
For example, to start your search an hour ago, use either
earliest=-h
or,
earliest=-60m
When specifying single time amounts, the number one is implied; 's' is the same as '1s', 'm' is the same as '1m', 'h' is the same as '1h', etc.
3. If you want, specify a "snap to" time unit; this indicates the nearest or latest time to which your time amount rounds down. Separate the time amount from the "snap to" time unit with an "@" character.
- You can use any of time units listed in Step 2. For example, @w, @week, and @w0 for Sunday; @month for the beginning of the month; and @q, @qtr, or @quarter for the beginning of the most recent quarter (Jan 1, Apr 1, Jul 1, or Oct 1). You can use the following for specific days of the week: w0 (Sunday), w1, w2, w3, w4, w5 and w6 (Saturday).
- You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions. For example,
@d-2hsnaps to the beginning of today (12AM) and subtract 2 hours from that time. - When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.
- If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use
@w6to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.
Example 1: To search events from the beginning of the current week:
earliest=@w0
Example 2: To search events from the last full business week:
earliest=-7d@w1 latest=@w6
Example 3: To search with an exact date as boundary, such as from November 5th at 8PM to Novermber 12 at 8PM, use the timeformat: %m/%d/%Y:%H:%M:%S
earliest="5/11/2012:20:00:00" latest="12/11/2012:20:00:00"
More time modifiers
These search time modifiers are still valid, BUT may be removed and their function no longer supported in a future release.
| Modifier | Syntax | Description |
|---|---|---|
| daysago | daysago=<int>
| Search events within the last integer number of days. |
| enddaysago | enddaysago=<int>
| Set an end time for an integer number of days before now. |
| endhoursago | endhoursago=<int>
| Set an end time for an integer number of hours before now. |
| endminutesago | endminutesago=<int>
| Set an end time for an integer number of minutes before now. |
| endmonthsago | endmonthsago=<int
| Set an end time for an integer number of months before now. |
| endtime | endtime=<string>
| Search for events before the specified time (exclusive of the specified time). Use timeformat to specify how the timestamp is formatted. |
| endtimeu | endtimeu=<int>
| Search for events before the specific epoch time (Unix time). . |
| hoursago | hoursago=<int>
| Search events within the last integer number of hours. |
| minutesago | minutesago=<int>
| Search events within the last integer number of minutes. |
| monthsago | monthsago=<int>
| Search events within the last integer number of months. |
| <searchtimespandays | searchtimespandays=<int>
| Search within a specified range of days (expressed as an integer). |
| searchtimespanhours | searchtimespanhours=<int>
| Search within a specified range of hours (expressed as an integer). |
| searchtimespanminutes | searchtimespanminutes=<int>
| Search within a specified range of minutes (expressed as an integer). |
| searchtimespanmonths | searchtimespanmonths=<int>
| Search within a specified range of months (expressed as an integer). |
| startdaysago | startdaysago=<int>
| Search the specified number of days before the present time. |
| starthoursago | starthoursago=<int>
| Search the specified number of hours before the present time. |
| startminutesago | startminutesago=<int>
| Search the specified number of minutes before the present time. |
| startmonthsago | startmonthsago=<int>
| Search the specified number of months before the present time. |
| starttime | starttime=<timestamp>
| Search from the specified date and time to the present (inclusive of the specified time). |
| starttimeu | starttimeu=<int>
| Search from the specific epoch (Unix time). |
| timeformat | timeformat=<string>
| Set the timeformat for the starttime and endtime modifiers. By default: timeformat=%m/%d/%Y:%H:%M:%S
|
This documentation applies to the following versions of Splunk: 5.0 , 5.0.1 , 5.0.2 View the Article History for its revisions.
if timeformat, starttime, and endtime are being deprecated, request that you use a different time format for earliest and latest. "2012-04-25T14:30:00-0500" (ISO 8601) perhaps? The existing format is incorrect for users outside the USA. 8601 is mostly supported by python