Splunk® Enterprise

User Manual

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Change the time range

This topic assumes that you're familiar with running ad hoc searches and using the timeline. If you're not sure, review the previous topics on searching and using the timeline.

This topic shows you how to narrow the scope of your investigative searching over any past time range. If you have some knowledge about when an event occurred, use it to target your search to that time period for faster results.

It's your second day of work with the Customer Support team for the online Flower & Gift shop. You just got to your desk. Before you make yourself a cappuccino, you decide to run a quick search to see if there were any recent issues you should be aware of.

1. Return to the Search dashboard and type in the following search over all time:

error OR failed OR severe OR (sourcetype=access_* (404 OR 500 OR 503))

This search uses parentheses to group together expressions for more complicated searches. When evaluating Boolean expressions, Splunk performs the operations within the innermost parentheses first, followed by the next pair out. When all operations within parentheses are completed, Splunk evaluates OR clauses, then, AND or NOT clauses.

Also, this search uses the wildcarded shortcut, "access_*", to match the Web access logs. If you have different source types for your Apache server logs, such as access_common and access_combined, this will match them all.

This searches for general errors in your event data over the course of the last week. Instead of matching just one type of log, this searches across all the logs in your index. It matches any occurrence of the words "error", "failed", or "severe" in your event data. Additionally, if the log is a Web access log, it looks for HTTP error codes, "404", "500", or "503".


Time range ORs 4.3.png


This search returns a significant amount of errors. You're not interested in knowing what happened over All time, even if it's just the course of a week. You just got into work, so you want to know about more recent activity, such as overnight or the last hour. But, because of the limitations of this dataset, let's look at yesterday's errors.

2. Drop down the time range picker and change the time range to Other > Yesterday.


Yesterday dropdown 4.3.png

Out-of-the box, Splunk searches across all of your data; that is, the default time range for a search is across "All time". If you have a lot of data, searching on this time range when you're investigating an event that occurred 15 minutes ago, last night, or the previous week just means that Splunk will take a long time to retrieve the results that you want to see.

3. Selecting a time range from this list automatically runs the search for you. If it doesn't, just hit Enter.


Annotated time range 4.3.png


This search returns events for general errors across all your logs, not just Web access logs. (If your sample data file is more than a day old, you can still get these results by selecting Custom time and entering the last date for which you have data.) Scroll through the search results. There are more mySQL database errors and some 404 errors. You ask the intern to get you a cup of coffee while you contact the Web team about the 404 errors and the IT Operations team about the recurring server errors.

Splunk also provides options for users to define a custom time range to search or select to search a continuous stream of incoming events.
  • Real-time enables searching forward in time against a continuous stream of live incoming event data. Because the sample data is a one-time upload, running a real-time search will not give us any results right now. We will explore this option later. For more information about real-time searches and how to run them, read "Search and report in real-time" in the User Manual.
  • Custom time... pops up a new window and enables you to define your own time ranges based on specific dates, relative dates, real-time windows, or using the search language. For more information about how to define custom time ranges, read "Change the time range of your search" in the User Manual.

Up to now, you've run simple searches that matched the raw text in your events. You've only scratched the surface of what you can do in Splunk. When you're ready to proceed, go on to the next topic to learn about fields and how to search with fields.

PREVIOUS
Use the timeline
  NEXT
Use fields to search

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

Setting the time range to "Yesterday" only netted me web server logs, not a mix of Apache & MySQL logs. In my eastern Australian timezone (UTC+10) it's 30 August, 17:30. The youngest MySQL event is from 27 August, 15:34. I have to reach back 74 hours (with snapping) to see it.

PeterThomas
August 30, 2012

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters