Related Answers
Download topic as PDF
Specify time modifiers in your search
When searching or saving a search, you can specify absolute and relative time ranges using the following attributes:
earliest=<time_modifier> latest=<time_modifier>
Specify absolute time ranges in your search
For exact time ranges, the syntax of time_modifier is: %m/%d/%Y:%H:%M:%S. For example, to specify a time range from 12AM October 19, 2009 to 12AM October 27, 2009:
earliest=10/19/2009:0:0:0 latest=10/27/2009:0:0:0
If you specify only the "earliest" attribute, "latest" is set to the current time (now) by default. In general, you won't specify "latest" without an "earliest" time.
When you specify a time range in your search or saved search, it overrides the time range that is selected in the dropdown menu. However, the time range specified directly in the search string will not apply to subsearches (but the range selected from the dropdown will apply).
Specify relative time ranges in your search
You can define the relative time in your search with a string of characters that indicate time amount (integer and unit) and, optionally, a "snap to" time unit: [+|-]<time_integer><time_unit>@<time_unit>. Also, when specifying relative time, you can use now to refer to the current time.
1. Begin your string with a plus (+) or minus (-) to indicate the offset of the time amount.
2. Define your time amount with a number and a unit. When you specify single time amounts, the number is implied: 's' is the same as '1s', 'm' is the same as '1m', etc. The supported time units are:
- second: s, sec, secs, second, seconds
- minute: m, min, minute, minutes
- hour: h, hr, hrs, hour, hours
- day: d, day, days
- week: w, week, weeks
- month: mon, month, months
- quarter: q, qtr, qtrs, quarter, quarters
- year: y, yr, yrs, year, years
3. You can also specify a "snap to" time unit to indicate the nearest or latest time to which your time amount rounds down. To do this, separate the time amount from the "snap to" time unit with an "@" character.
You can define the relative time modifier as only a "snap to" time unit. For example, to "snap to" a specific day of the week, use @w0 for Sunday, @w1 for Monday, etc.
If you don't specify a "snap to" time unit, Splunk snaps automatically to the second.
Special time units
These abbreviations are reserved for special cases of time units and snap time offsets.
| Time Unit | Description |
|---|---|
earliest=1
|
If you want to search events from the start of UTC epoch time, use earliest=1. (earliest=0 in the search string indicates that time is not used in the search.)
When
|
latest=now
|
Specify that the search starts or ends at the current time. |
@q, @qtr, or @quarter
|
Specify a snap to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1. |
w0, w1, w2, w3, w4, w5, and w6
|
Specify "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week, it is equivalent to snapping to Sunday or @w0.
|
More about snap-to-time
When snapping to the nearest or latest time, Splunk always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.
If you don't specify a time offset before the "snap to" amount, Splunk interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 AM.
Examples of relative time modifiers
For these examples, the current time is Wednesday, 05 February 2009, 01:37:05 PM. Also note that 24h is usually but not always equivalent to 1d because of Daylight Savings Time boundaries.
| Time modifier | Description | Resulting time | Equivalent modifiers |
|---|---|---|---|
| now | Now, the current time | Wednesday, 05 February 2009, 01:37:05 PM | now |
| -60m | 60 minutes ago | Wednesday, 05 February 2009, 12:37:05 PM | -60m@s |
| -1h@h | 1 hour ago, to the hour | Wednesday, 05 February 2009, 12:00:00 PM | |
| -1d@d | Yesterday | Tuesday, 04 February 2009, 12:00:00 AM | |
| -24h | 24 hours ago (yesterday) | Tuesday, 04 February 2009, 01:37:05 PM | -24h@s |
| -7d@d | 7 days ago, 1 week ago today | Wednesday, 28 January 2009, 12:00:00 AM | |
| -7d@m | 7 days ago, snap to minute boundary | Wednesday, 28 January 2009, 01:37:00 PM | |
| @w0 | Beginning of the current week | Sunday, 02 February 2009, 12:00:00 AM | |
| +1d@d | Tomorrow | Thursday, 06 February 2009, 12:00:00 AM | |
| +24h | 24 hours from now, tomorrow | Thursday, 06 February 2009, 01:37:05 PM | +24h@s |
Examples of chained relative time offsets
You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions.
| Time modifier | Description | Resulting time |
|---|---|---|
| @d-2h | Snap to the beginning of today (12AM) and subtract 2 hours from that time. | 10PM last night. |
| -mon@mon+7d | One month ago, snapped to the first of the month at midnight, and add 7 days. | The 8th of last month (at 12AM). |
Examples of searches with relative time modifiers
Example 1: Web access errors from the beginning of the week to the current time of your search (now).
eventtype=webaccess error earliest=@w0
This search returns matching events starting from 12:00 AM of the Sunday of the current week to the current time. Of course, this means that if you run this search on Monday at noon, you will only see events for 36 hours of data.
Example 2: Web access errors from the current business week (Monday to Friday).
eventtype=webaccess error earliest=@w1 latest=+7d@w6
This search returns matching events starting from 12:00 AM of the Monday of the current week and ending at 11:59 PM of the Friday of the current week.
If you run this search on Monday at noon, you will only see events for 12 hours of data. Whereas, if you run this search on Friday, you will see events from the beginning of the week to the current time on Friday. The timeline however, will display for the full business week.
Example 3: Web access errors from the last full business week.
eventtype=webaccess error earliest=-7d@w1 latest=@w6
This search returns matching events starting from 12:00 AM of last Monday and ending at 11:59 PM of last Friday.
|
PREVIOUS Select time ranges to apply to your search |
NEXT Specify real-time time range windows in your search |
This documentation applies to the following versions of Splunk® Enterprise: 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, 6.0.5, 6.0.6, 6.0.7, 6.0.8, 6.0.9, 6.0.10, 6.0.11, 6.0.12, 6.0.13, 6.0.14, 6.0.15, 6.1, 6.1.1, 6.1.2, 6.1.3, 6.1.4, 6.1.5, 6.1.6, 6.1.7, 6.1.8, 6.1.9, 6.1.10, 6.1.11, 6.1.12, 6.1.13, 6.1.14
For example 2 and 3, isn't there any mistake ? If we are Saturday or Sunday, example2 will lead to earliest="This Mon 12:00AM" (Good); latest="Sat next week 12:00AM" (Bad). I think latest should be replaced by @w1+5d. Same for example 3.