Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Change the time range to narrow your search

Time is crucial for determining what went wrong – you often know when. Looking at events that happened around the same time can help correlate results and find the root cause. Having an overly-broad time range wastes system resources and will produce more results than you can handle.

Adding a time range to your search is as simple as selecting it from a list of time ranges provided (for example, Last business week) or including the attributes in your search string (for example, earliest="-15m" starts your search fifteen minutes ago). This topic discusses how to add time to your search by:

  • Selecting it from the time range menu.
  • Adding attributes earliest and latest to your search.

Select time ranges to apply to your search

Use the time range picker dropdown to specify the time period you want to run your search. If you want to specify a custom date range, select Custom time... from the dropdown menu.

Then, select "Date" in the popup window. You can enter the date range manually or use the calendar pop-up.

For example, if you were interested in only events that occurred during the second business quarter, April through June, you might select the date range:


Pick custom time.png


The time range menu indicates the date range that you selected. Notice also that the timeline only shows the selected date range:


Custom time results.png


Note: If you are located in a different timezone from your server, time-based searches use the timestamp of the event from the server where it is indexed.

Customize the time ranges you can select

Splunk now ships with more built-in time ranges. Splunk administrators can also customize the set of time ranges that you view and select from the drop down menu when you search. For more information about configuring these new time ranges, see the times.conf reference in the Admin Manual.

Specify absolute time ranges in your search

When searching or saving a search, you can specify time ranges using the following attributes:

earliest=<time_modifier> 
latest=<time_modifier>

For exact time ranges, the syntax of time_modifier is: %m/%d/%Y:%H:%M:%S. For example, to specify a time range from 12AM October 19, 2009 to 12AM October 27, 2009:

earliest=10/19/2009:0:0:0 latest=10/27/2009:0:0:0

If you specify only the "earliest" attribute, "latest" is set to the current time (now) by default. In general, you won't specify "latest" without an "earliest" time.

When you specify a time range in your search or saved search, it overrides the time range that is selected in the dropdown menu. However, the time range specified directly in the search string will not apply to subsearches (but the range selected from the dropdown will apply).


Specify relative time ranges in your search

You can also use the earliest and latest attributes to specify relative time ranges using the syntax described as follows. Also, you can specify the time ranges in your search string or using the time range picker.

Syntax for relative time modifiers

You can define the relative time in your search with a string of characters that indicate time amount (integer and unit) and, optionally, a "snap to" time unit: [+|-]<time_integer><time_unit>@<time_unit>. Also, when specifying relative time, you can use now to refer to the current time.

1. Begin your string with a plus (+) or minus (-) to indicate the offset of the time amount.

2. Define your time amount with a number and a unit. When you specify single time amounts, the number is implied: 's' is the same as '1s', 'm' is the same as '1m', etc. The supported time units are:

  • second: s, sec, secs, second, seconds
  • minute: m, min, minute, minutes
  • hour: h, hr, hrs, hour, hours
  • day: d, day, days
  • week: w, week, weeks
  • month: mon, month, months
  • quarter: q, qtr, qtrs, quarter, quarters
  • year: y, yr, yrs, year, years

3. You can also specify a "snap to" time unit to indicate the nearest or latest time to which your time amount rounds down. To do this, separate the time amount from the "snap to" time unit with an "@" character.

You can define the relative time modifier as only a "snap to" time unit. For example, to "snap to" a specific day of the week, use @w0 for Sunday, @w1 for Monday, etc.

If you don't specify a "snap to" time unit, Splunk snaps automatically to the second.

Special time units

These abbreviations are reserved for special cases of time units and snap time offsets.

Time Unit Description
0 When earliest=0 (and latest!=0), the start time of your search is UTC epoch 0.

When earliest=0 and latest=now or latest=<a large number>, the search will run over all time. The difference is that:

  • Specifying latest=now (which is the default) does not return future events.
  • Specifying latest=<a big number> returns future events.

Note: Future events refer to events that contain timestamps later than the current time, now.

now The current time.
@q, @qtr, or @quarter Specify a snap to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1.
w0, w1, w2, w3, w4, w5, and w6 Specify "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0.

More about snap-to-time

When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.

If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.

Define custom relative time ranges

1. From the time range picker, select Custom time...

2. Select Relative from the Range Type options.

3. Enter an Earliest time value.

Custom relative time range.png

Note: You can also use this window to see the Search language equivalent of your earliest time value and the Effective range that it translates to in Splunk.

Examples of relative time modifiers

For these examples, the current time is Wednesday, 05 February 2009, 01:37:05 PM. Also note that 24h is usually but not always equivalent to 1d because of Daylight Savings Time boundaries.

Time modifier Description Resulting time Equivalent modifiers
now Now, the current time Wednesday, 05 February 2009, 01:37:05 PM now
-60m 60 minutes ago Wednesday, 05 February 2009, 12:37:05 PM -60m@s
-1h@h 1 hour ago, to the hour Wednesday, 05 February 2009, 12:00:00 PM
-1d@d Yesterday Tuesday, 04 February 2009, 12:00:00 AM
-24h 24 hours ago (yesterday) Tuesday, 04 February 2009, 01:37:05 PM -24h@s
-7d@d 7 days ago, 1 week ago today Wednesday, 28 January 2009, 12:00:00 AM
-7d@m 7 days ago, snap to minute boundary Wednesday, 28 January 2009, 01:37:00 PM
@w0 Beginning of the current week Sunday, 02 February 2009, 12:00:00 AM
+1d@d Tomorrow Thursday, 06 February 2009, 12:00:00 AM
+24h 24 hours from now, tomorrow Thursday, 06 February 2009, 01:37:05 PM +24h@s

Examples of chained relative time offsets

You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions.

Time modifier Description Resulting time
@d-2h Snap to the beginning of today (12AM) and subtract 2 hours from that time. 10PM last night.
-mon@mon+7d One month ago, snapped to the first of the month at midnight, and add 7 days. The 8th of last month (at 12AM).

Examples of searches with relative time modifiers

Example 1: Web access errors from the beginning of the week to the current time of your search (now).

eventtype=webaccess error earliest=@w0

This search returns matching events starting from 12:00 AM of the Sunday of the current week to the current time. Of course, this means that if you run this search on Monday at noon, you will only see events for 36 hours of data.


Example 2: Web access errors from the current business week (Monday to Friday).

eventtype=webaccess error earliest=@w1 latest=+7d@w6

This search returns matching events starting from 12:00 AM of the Monday of the current week and ending at 11:59 PM of the Friday of the current week.

If you run this search on Monday at noon, you will only see events for 12 hours of data. Whereas, if you run this search on Friday, you will see events from the beginning of the week to the current time on Friday. The timeline however, will display for the full business week.


Example 3: Web access errors from the last full business week.

eventtype=webaccess error earliest=-7d@w1 latest=@w6

This search returns matching events starting from 12:00 AM of last Monday and ending at 11:59 PM of last Friday.

PREVIOUS
Search interactively with Splunk Web
  NEXT
Use the timeline to investigate patterns of events

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters