Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About the time range picker

The time range picker lets you set time boundaries on your searches. You can restrict the search to Preset time ranges, custom Relative time ranges, and custom Real-time ranges or specify a Date Range or a Date & Time Range.

For this tutorial, you will select from the time range Presets and define custom Relative time ranges.

Time range presets

The time range picker Presets are a set of time ranges that are defined in Splunk Enterprise out-of-the-box.

Tutorials timerangepicker presets.png

By default, the time range for a search is set to All time. Usually, when you run a search over large volumes of data, you see faster results if you run the search over a smaller time period. To change the default time range for your searches, see "Change the default selected time range" in the Search manual.

When troubleshooting an issue where you know the ballpark range for when the issue occurred, narrow the time range of the search to that time period. For example, if you are investigating an incident that occurred yesterday, you select Yesterday or Last 24 hours. If you're investigating an incident that occurred 10 minutes ago, you select Last 15 minutes or Last 60 minutes.

Custom time ranges

If one of the Presets is not what you want, you can define a custom time range, such as a Relative time range or a Date & Time Range.

If you are interested in events in the last two hours, you can specify it with the Relative time range option.

Tutorials timerange custom relative.png

For example, you can specify the earliest time to read "2 Hours Ago" and latest time to be either "now" or "Beginning of the current hour".

You can narrow down more precisely into the time range when you specify a Date & Time Range.

Tutorials timerange datetime.png

For example, if you are interested in events that occurred on September 30th at 8:42 PM. You can specify the earliest time to be 09/30/2013 08:40:00.000 and the latest time to be 09/30/2013 08:45:00.000.

Next steps

Continue reading to learn about search actions and search modes.

PREVIOUS
About the Search dashboard
  NEXT
About search actions and modes

This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1.13, 6.1.14


Comments

YogB, you might want to try the tail command:<br /><br />http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Tail<br /><br />You can specify the last N number of results to return (defaults to 10).

Sophy
January 15, 2014

How can I find the last result with a search command and not with the time picker?<br />Lets say if I am running a search on "All Time" and I want the last result to be shown in the statistic tab.

Yogb
January 15, 2014

Hi, JimDeich. The instructions are in the Search Manual: http://docs.splunk.com/Documentation/Splunk/6.0/Search/Selecttimerangestoapply#Change_the_default_selected_time_range. I have added the link to this topic as well.

Cgales splunk
December 4, 2013

"By default, the time range for a search is set to 'All time'" .<br /><br />Yes it is. I think this is a bad selection and may have caused our indexing to crash. I want to change it, but the method I found on the web adjusting views has not worked. How do I adjust the default time range in splunk 6.0 ?

JimDeich
December 4, 2013

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters