Related Answers
Download topic as PDF
Specifying time spans
Some SPL2 commands include an argument where you can specify a time span, which is used to organize the search results by time increments. The GROUP BY clause in the from command, and the bin, stats, and timechart commands include a span argument.
The time span can contain two elements, a time unit and timescale:
- A time unit is an integer that designates the amount of time, for example 5 or 30.
- A timescale is word or abbreviation that designates the time interval, for example seconds, minutes, or hours.
When you specify a time span, the timescale is required. If no time unit is specified, 1 is used as the default time unit. For example if you specify min, 1 minute is used.
Supported timescales
The supported timescale intervals are listed in the following table:
| Timescale interval | Valid abbreviations |
|---|---|
| second | s, sec, secs, second, seconds |
| minute | m, min, minute, minutes |
| hour | h, hr, hrs, hour, hours |
| day | d, day, days |
| week | w, week, weeks |
| month | mon, month, months |
| quarter | q, qtr, qtrs, quarter, quarters |
| year | y, yr, yrs, year, years |
Default time span
If you use the predefined time ranges in the Time Range Picker, and do not specify a span argument, the following table shows the default spans that are used:
| Time range | Default time span |
|---|---|
| Last 15 minutes | 10 seconds |
| Last 60 minutes | 1 minute |
| Last 4 hours | 5 minutes |
| Last 24 hours | 30 minutes |
| Last 7 days | 1 day |
| Last 30 days | 1 day |
| Previous year | 1 month |
|
PREVIOUS Specifying relative time |
NEXT Using time variables |
This documentation applies to the following versions of Splunk® Cloud Services: current
Feedback submitted, thanks!