Splunk® Enterprise

Search Manual

Download manual as PDF

Splunk Enterprise version 5.0 reached its End of Life on December 1, 2017. Please see the migration information.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Select time ranges to apply to your search

Use the time range picker to set time boundaries on your searches. You can restrict the search to Preset time ranges, custom Relative time ranges, and custom Real-time time ranges. You can also specify a Date Range, a Date & Time Range, and use

Define custom time ranges

If you want to specify a custom date range, select Custom time... from the dropdown menu.

Then, select "Date" in the popup window. You can enter the date range manually or use the calendar pop-up.

For example, if you were interested in only events that occurred during the second business quarter, April through June, you might select the date range:


Pick custom time.png


The time range menu indicates the date range that you selected. Notice also that the timeline only shows the selected date range:


Custom time results.png


Note: If you are located in a different timezone from your server, time-based searches use the timestamp of the event from the server where it is indexed.

Define custom relative time ranges

1. From the time range picker, select Custom time...

2. Select Relative from the Range Type options.

3. Enter an Earliest time value.

Custom relative time range.png

Note: You can also use this window to see the Search language equivalent of your earliest time value and the Effective range that it translates to in Splunk.

Customize the time ranges you can select

Splunk now ships with more built-in time ranges. Splunk administrators can also customize the set of time ranges that you view and select from the drop down menu when you search. For more information about configuring these new time ranges, see the times.conf reference in the Admin Manual.

PREVIOUS
About time ranges in search
  NEXT
Specify time modifiers in your search

This documentation applies to the following versions of Splunk® Enterprise: 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.0.6, 5.0.7, 5.0.8, 5.0.9, 5.0.10, 5.0.11, 5.0.12, 5.0.13, 5.0.14, 5.0.15, 5.0.16, 5.0.17, 5.0.18


Comments

Oops. I originally missed this. link is here: http://docs.splunk.com/Documentation/Splunk/5.0.4/SearchReference/SearchTimeModifiers

Mikedavies
September 17, 2013

It would be great if functionaility to set the timeranges to search could be added to search bar somehow. <br /><br />I do a lot of analysis in splunk, across different times and datasets. I make spreadsheets of features which have some of the splunk searches written in columns. Often the feature of the data I am looking at occurs at a certain time, and it can be a pain to have to manually alter the time in that little menu when i have it already in a text format.

Mikedavies
September 17, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters