Splunk® Enterprise

Search Reference

Download manual as PDF

Splunk version 4.x reached its End of Life on October 1, 2013. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Time modifiers for search

You can use time modifiers to customize the time range of a search by specifying a time to start or stop, or change the format of the timestamps in the search results.

List of time modifiers

We recommend using the earliest and/or latest modifiers to specify custom and relative time ranges. Also, when specifying relative time, you can use now to refer to the current time.

Modifier Syntax Description
earliest earliest=[+|-]<time_integer><time_unit>@<time_unit> Specify the earliest time for the time range of your search.
latest latest=[+|-]<time_integer><time_unit>@<time_unit> Specify the latest time for the time range of your search.
now now Refers to the current time.

For more information about customizing your search window, see "Search and report in real time" in the User manual.

How to specify relative time modifiers

You can define the relative time in your search with a string of characters that indicate time amount (integer and unit) and, optionally, a "snap to" time unit: [+|-]<time_integer><time_unit>@<time_unit>.

1. Begin your string with a plus (+) or minus (-) to indicate the offset from the current time.

2. Define your time amount with a number and a unit; the supported time units are:

  • second: s, sec, secs, second, seconds
  • minute: m, min, minute, minutes
  • hour: h, hr, hrs, hour, hours
  • day: d, day, days
  • week: w, week, weeks
  • days of the week: w0 (Sunday), w1, w2, w3, w4, w5 and w6 (Saturday)
  • month: mon, month, months
  • quarter: q, qtr, qtrs, quarter, quarters
  • year: y, yr, yrs, year, years

Note: For Sunday, you can specify w0 and w7.

For example, to start your search an hour ago, use either

earliest=-h

or,

earliest=-60m

When specifying single time amounts, the number one is implied; 's' is the same as '1s', 'm' is the same as '1m', 'h' is the same as '1h', etc.

3. If you want, specify a "snap to" time unit; this indicates the nearest or latest time to which your time amount rounds down. Separate the time amount from the "snap to" time unit with an "@" character.

  • You can use any of time units listed in Step 2. For example, @w, @week, and @w0 for Sunday; @month for the beginning of the month; and @q, @qtr, or @quarter for the beginning of the most recent quarter (Jan 1, Apr 1, Jul 1, or Oct 1).
  • You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions. For example, @d-2h snaps to the beginning of today (12AM) and subtract 2 hours from that time.
  • When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.
  • If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.

Example 1: To search events from the beginning of the current week:

earliest=@w0

Example 2: To search events from the last full business week:

earliest=-7d@w1 latest=@w6

Example 3: To search with an exact date as boundary, such as from November 5th at 8PM to November 12 at 8PM, use the timeformat: %m/%d/%Y:%H:%M:%S

earliest="11/5/2012:20:00:00" latest="11/12/2012:20:00:00"

More time modifiers

These search time modifiers are still valid, BUT may be removed and their function no longer supported in a future release.

Modifier Syntax Description
daysago daysago=<int> Search events within the last integer number of days.
enddaysago enddaysago=<int> Set an end time for an integer number of days before now.
endhoursago endhoursago=<int> Set an end time for an integer number of hours before now.
endminutesago endminutesago=<int> Set an end time for an integer number of minutes before now.
endmonthsago endmonthsago=<int Set an end time for an integer number of months before now.
endtime endtime=<string> Search for events before the specified time (exclusive of the specified time). Use timeformat to specify how the timestamp is formatted.
endtimeu endtimeu=<int> Search for events before the specific epoch time (Unix time). .
hoursago hoursago=<int> Search events within the last integer number of hours.
minutesago minutesago=<int> Search events within the last integer number of minutes.
monthsago monthsago=<int> Search events within the last integer number of months.
<searchtimespandays searchtimespandays=<int> Search within a specified range of days (expressed as an integer).
searchtimespanhours searchtimespanhours=<int> Search within a specified range of hours (expressed as an integer).
searchtimespanminutes searchtimespanminutes=<int> Search within a specified range of minutes (expressed as an integer).
searchtimespanmonths searchtimespanmonths=<int> Search within a specified range of months (expressed as an integer).
startdaysago startdaysago=<int> Search the specified number of days before the present time.
starthoursago starthoursago=<int> Search the specified number of hours before the present time.
startminutesago startminutesago=<int> Search the specified number of minutes before the present time.
startmonthsago startmonthsago=<int> Search the specified number of months before the present time.
starttime starttime=<timestamp> Search from the specified date and time to the present (inclusive of the specified time).
starttimeu starttimeu=<int> Search from the specific epoch (Unix time).
timeformat timeformat=<string> Set the timeformat for the starttime and endtime modifiers. By default: timeformat=%m/%d/%Y:%H:%M:%S
PREVIOUS
Common date and time format variables
  NEXT
abstract

This documentation applies to the following versions of Splunk® Enterprise: 4.3, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7


Comments

Example : To search with an exact date as boundary, use the timeformat : %m/%d/%Y:%H:%M:%S <br />example : from November 5th at 8pm to November 12th at 8pm <br />earliest="5/11/2012:20:00:00" latest="12/11/2012:20:00:00"

Ykherian, Splunker
November 29, 2012

Mileserickson: There is a slight difference. The days/hours/minutes/monthsago modifiers specify the time range up to the present time of the search , rounding the end time to the last second, so that the time is an integer. The start*ago modifiers also specify the time range to the present time of the search, but it does not round to the second. I hope this helps!

Sophy
October 8, 2010

kindlund: thank you. it was a mispelling. fixed!

Sophy
October 8, 2010

Is there any difference at all between difference between "minutesago=10" and "startminutesago=10"? The article doesn't explain.

Mileserickson
September 13, 2010

thanks! fixed.

Rachel
July 8, 2010

"startimeeu" in the first column is misspelled, I think.

Kindlund
July 7, 2010

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters