Change the time range
This topic shows you how to narrow the scope of your investigative searching over any past time range. If you have some knowledge about when an event occurred, use it to target your search to that time period for faster results.
It's your second day of work with the Customer Support team for the online Flower & Gift shop. You just got to your desk. Before you make yourself a cappuccino, you decide to run a quick search to see if there were any recent issues you should be aware of.
1. Return to the Search dashboard and type in the following search over all time:
error OR failed OR severe OR (sourcetype=access_* (404 OR 500 OR 503))
|This search uses parentheses to group together expressions for more complicated searches. When evaluating Boolean expressions, Splunk performs the operations within the innermost parentheses first, followed by the next pair out. When all operations within parentheses are completed, Splunk evaluates OR clauses, then, AND or NOT clauses.
Also, this search uses the wildcarded shortcut, "access_*", to match the Web access logs. If you have different source types for your Apache server logs, such as
This searches for general errors in your event data over the course of the last week. Instead of matching just one type of log, this searches across all the logs in your index. It matches any occurrence of the words "error", "failed", or "severe" in your event data. Additionally, if the log is a Web access log, it looks for HTTP error codes, "404", "500", or "503".
This search returns a significant amount of errors. You're not interested in knowing what happened over All time, even if it's just the course of a week. You just got into work, so you want to know about more recent activity, such as overnight or the last hour. But, because of the limitations of this dataset, let's look at yesterday's errors.
2. Drop down the time range picker and change the time range to Other > Yesterday.
|Out-of-the box, Splunk searches across all of your data; that is, the default time range for a search is across "All time". If you have a lot of data, searching on this time range when you're investigating an event that occurred 15 minutes ago, last night, or the previous week just means that Splunk will take a long time to retrieve the results that you want to see.|
3. Selecting a time range from this list automatically runs the search for you. If it doesn't, just hit Enter.
This search returns events for general errors across all your logs, not just Web access logs. (If your sample data file is more than a day old, you can still get these results by selecting Custom time and entering the last date for which you have data.) Scroll through the search results. There are more mySQL database errors and some 404 errors. You ask the intern to get you a cup of coffee while you contact the Web team about the 404 errors and the IT Operations team about the recurring server errors.
|Splunk also provides options for users to define a custom time range to search or select to search a continuous stream of incoming events.
Up to now, you've run simple searches that matched the raw text in your events. You've only scratched the surface of what you can do in Splunk. When you're ready to proceed, go on to the next topic to learn about fields and how to search with fields.
Use the timeline
Use fields to search
This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7