gentimes command is useful in conjunction with the map command.
Generates timestamp results starting with the exact time specified as start time. Each result describes an adjacent, non-overlapping time range as indicated by the increment value. This terminates when enough results are generated to pass the endtime value.
For example, the following search generates four intervals covering one day periods aligning with the calendar days October 1, 2, 3, and 4, during 2017.
| gentimes start=10/1/17 end=10/5/17
This command does not work for future dates.
| gentimes start=<timestamp> [end=<timestamp>] [increment=<increment>]
- Syntax: start=<timestamp>
- Description: Specify as start time.
- Syntax: MM/DD/YYYY[:HH:MM:SS] | <int>
- Description: Indicate the timeframe, for example: 10/1/2017 for October 1, 2017, 4/1/2017:12:34:56 for April 1, 2017 at 12:34:56, or -5 for five days ago.
- Syntax: end=<timestamp>
- Description: Specify an end time.
- Default: midnight, prior to the current time in local time
- Syntax: increment=<int>(s | m | h | d)
- Description: Specify a time period to increment from the start time to the end time.
- Default: 1d
gentimes command is a generating command and should be the first command in the search. Generating commands use a leading pipe character.
All hourly time ranges from December 1 to December 5 in 2017.
| gentimes start=12/1/17 end=12/5/17 increment=1h
All daily time ranges from 30 days ago until 27 days ago.
| gentimes start=-30 end=-27
All daily time ranges from April 1 to April 5 in 2017.
| gentimes start=4/1/17 end=4/5/17
All daily time ranges from September 25 to today.
| gentimes start=9/25/17
Have questions? Visit Splunk Answers and see what questions and answers the Splunk community has using the gentimes command.
This documentation applies to the following versions of Splunk Cloud™: 6.5.0, 6.5.1, 6.5.1612, 6.6.0, 6.6.1, 6.6.3