Splunk® Cloud Services

SPL2 Search Manual

Searching specific time ranges

When you create a search, try to specify only the dates or times that you're interested in. Specifying a narrow time range is a great way to filter the data in your dataset and to avoid producing more results than you really need.

To specify a time range in your search syntax, you use the earliest and latest time modifiers. You can specify an exact time such as earliest="10/5/2019:20:00:00", or a relative time such as earliest=-h or latest=@w6.

Modifier Syntax Description
earliest earliest=[+|-]

<time_integer><time_unit>@<time_unit>

Specify the earliest _time for the time range of your search.


Use earliest=1 to specify the UNIX epoch time 1, which is UTC January 1, 1970 at 12:00:01 AM.

latest latest=[+|-]

<time_integer><time_unit>@<time_unit>

Specify the latest time for the _time range of your search.


If you omit latest, the current time (now) is used.

Here are some examples:

  • To search for data from now and go back in time 5 minutes, use earliest=-5m.
  • To search for data from now and go back 40 seconds, use earliest=-40s.
  • To search for data between 2 and 4 hours ago, use earliest=-4h latest=-2h.
  • To search for data using an exact date range, such as from October 15 at 8 PM to October 22 at 8 PM, use the timeformat %m/%d/%Y:%H:%M:%S and specify dates like earliest="10/15/2019:20:00:00" latest="10/22/2019:20:00:00"
  • To search for data from the beginning of today (12 AM or midnight) use earliest=@d. The @ symbol is referred to as the snap to and d is the time unit.
  • To search for data from the beginning of today (12 AM or midnight) and apply a time offset of -2h, use earliest=@d-2h. This results in an earliest time of 10 PM yesterday.

When snapping to a time, Splunk software always '''snaps backwards''' or rounds down to the latest time that is not after the specified time. For example, if it is 11:59:00 and you "snap to" using hours, you will snap to 11:00 not 12:00.

Here's an example of using a time range in a search that goes back 5 minutes, snapping to the beginning of the minute. The end of the time range is the beginning of the current minute.

| from main where earliest=-5m@m and latest=@m

For more information about time modifiers, see Time modifiers.

Next step

See Combining commands.

Last modified on 26 July, 2022
Searching datasets   Combining commands

This documentation applies to the following versions of Splunk® Cloud Services: current

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters