Select time ranges to apply to your search

Use the time range picker to set time boundaries on your searches. You can restrict the search to Preset time ranges, custom Relative time ranges, and custom Real-time time ranges. You can also specify a Date Range, a Date & Time Range, and use more advanced options for specifying the time ranges for a search.

Note: If you are located in a different timezone, time-based searches use the timestamp of the event from the instance that indexed the data.

Select from a list of Preset time ranges

Out of the box, the time range picker includes many time ranges options that are already defined in the configuration file, times.conf. You can select from a list of Real-time windows, Relative time ranges, and search over All Time.

Define custom Relative time ranges

The custom Relative time range option enables you to specify a time range for your search relative to Now or "Beginning of the current second".

The preview box below the text field will update to the time range you're setting.

Read more about Relative time ranges in the next topic, "Specify time modifiers in your search".

Define custom Real-time time ranges

The custom Real-time option enables you to specify the start time for your real-time time range window.

Read more about real-time time ranges in the topic "Specify real-time time range windows in your search".

Define custom Date ranges

Use the custom Date Range option to specify calendar dates in your search. You can choose among options to return events: Between a beginning and end date, Before a date, and Since a date.

For these fields, you can type the date into the text box or select the date from a calendar:

Define custom Date & Time ranges

Use the custom Date & Time Range option to specify calendar dates and times for the beginning and ending of your search.

You can type the date into the text box or select the date from a calendar.

Use Advanced time range options

Use the Advanced option to specify the earliest and latest search times. You can write the times in Unix (epoch) time or relative time notation. The epoch time value you enter is converted to local time. This timestamp is displayed under the text field so that you can verify your entry.

Customize the time ranges you can select

Splunk now ships with more built-in time ranges. Splunk administrators can also customize the set of time ranges that you view and select from the drop down menu when you search. For more information about configuring these new time ranges, see the times.conf reference in the Admin Manual.

Change the default selected time range

If you want the time range picker to read something other than "All time" by default, you can change this to another time range. It can be set for a specific user, by setting that user's ui-prefs, or for an entire app. To do this, edit or create the ui-prefs.conf to specify a new default time range.

The following example changes the default time range from All Time to Today within the Search app.

[search]
dispatch.earliest_time = @d
dispatch.latest_time = now

If you want to change this default for another view, the stanza name needs to match the dashboard ID for that view. These parameter values are defined using relative time modifiers, which you can read more about in the topic "Specify time modifiers in your search".

You would create this in $SPLUNK_HOME/etc/apps/search/local/ui-prefs.conf if you wanted to add it to the search app, only. If you want to specify the global default, add these paramters to $SPLUNK_HOME/etc/system/local/ui-prefs.conf. For more information, refer to the ui-prefs.conf reference in the Admin Manual.