About the time range picker

Use the time range picker, which is to the right of the search bar, to set time boundaries on your searches.

You can restrict the search to Preset time ranges, custom Relative time ranges, and custom Real-time ranges or specify a Date Range or a Date & Time Range.

This tutorial uses Presets and Relative time range options.

Time range presets

The time range picker Presets are a set of time ranges that come defined in Splunk Enterprise.

By default, the time range for a search is set to All time. When you search large volumes of data, results return faster when you run the search over a shorter time period. To change the default time range for your searches, see "Select time ranges to apply to your search" in the Search Manual.

When you troubleshoot an issue where you know the approximate range for when the issue occurred, narrow the time range of the search to that time period. For example, to investigate an incident that occurred yesterday, select Yesterday or Last 24 hours. To investigate an incident that occurred 10 minutes ago, select Last 15 minutes or Last 60 minutes. Then, adjust the time range as needed in your investigation.

Custom time ranges

You can define a custom time range, using the Relative or Date & Time Range options.

To run a search over the last two hours, use the Relative time range option.

For example, you can specify the earliest time to read "2 Hours Ago" and latest time to be either "now" or "Beginning of the current hour".

The timestamps adjust to show you the earliest and latest timestamps you specify.

You can use the Date & Time Range options to specify earliest and latest times using a calendar and timestamp.

For example, to troubleshoot an issue that took place September 30th at 8:42 PM, you can specify the earliest time to be 09/30/2014 08:40:00.000 and the latest time to be 09/30/2014 08:45:00.000.

Next steps

Continue reading to learn about search actions and search modes.