Splunk® Enterprise

Search Tutorial

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

About the time range picker

Use the time range picker, which is to the right of the search bar, to set time boundaries on your searches. 6.3.0 Tutorial timerange.png


You can restrict the search to Preset time ranges, custom Relative time ranges, and custom Real-time ranges or specify a Date Range or a Date & Time Range.

This tutorial uses Presets and Relative time range options.

Time range presets

The time range picker Presets are a set of time ranges that come defined in Splunk Enterprise.

6.2tutorial timerange presets.png

By default, the time range for a search is set to All time. When you search large volumes of data, results return faster when you run the search over a shorter time period. To change the default time range for your searches, see "Select time ranges to apply to your search" in the Search Manual.

When you troubleshoot an issue where you know the approximate range for when the issue occurred, narrow the time range of the search to that time period. For example, to investigate an incident that occurred yesterday, select Yesterday or Last 24 hours. To investigate an incident that occurred 10 minutes ago, select Last 15 minutes or Last 60 minutes. Then, adjust the time range as needed in your investigation.

Custom time ranges

You can define a custom time range, using the Relative or Date & Time Range options.

To run a search over the last two hours, use the Relative time range option.

6.2tutorial timerange rel.png


For example, you can specify the earliest time to read "2 Hours Ago" and latest time to be either "now" or "Beginning of the current hour".

The timestamps adjust to show you the earliest and latest timestamps you specify.

You can use the Date & Time Range options to specify earliest and latest times using a calendar and timestamp.

6.2tutorial timerange datetime.png


For example, to troubleshoot an issue that took place September 30th at 8:42 PM, you can specify the earliest time to be 09/30/2014 08:40:00.000 and the latest time to be 09/30/2014 08:45:00.000.

Next steps

Continue reading to learn about search actions and search modes.

PREVIOUS
About the Search views
  NEXT
About search actions and modes

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14


Comments

Good question Landen99, yes you (or your system admin) can. Depends on what you want.
See the section "Customize the time ranges you can select" and "Change the default selected time range" in this topic: http://docs.splunk.com/Documentation/Splunk/latest/Search/Selecttimerangestoapply
in the Search Manual.

Lstewart splunk, Splunker
December 10, 2015

Can I add a custom time range to the presets list? Like "Last Hour".

Landen99
December 3, 2015

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters