Splunk® Enterprise

Search Tutorial

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

About the time range picker

Use the time range picker, which is to the right of the search bar, to set time boundaries on your searches. 6.3.0 Tutorial timerange.png

You can restrict the search to Preset time ranges, custom Relative time ranges, and custom Real-time ranges or specify a Date Range or a Date & Time Range.

This tutorial uses Presets and Relative time range options.

Time range presets

The time range picker Presets are a set of time ranges that come defined in Splunk Enterprise.

6.2tutorial timerange presets.png

By default, the time range for a search is set to All time. When you search large volumes of data, results return faster when you run the search over a shorter time period. To change the default time range for your searches, see "Select time ranges to apply to your search" in the Search Manual.

When you troubleshoot an issue where you know the approximate range for when the issue occurred, narrow the time range of the search to that time period. For example, to investigate an incident that occurred yesterday, select Yesterday or Last 24 hours. To investigate an incident that occurred 10 minutes ago, select Last 15 minutes or Last 60 minutes. Then, adjust the time range as needed in your investigation.

Custom time ranges

You can define a custom time range, using the Relative or Date & Time Range options.

To run a search over the last two hours, use the Relative time range option.

6.2tutorial timerange rel.png

For example, you can specify the earliest time to read "2 Hours Ago" and latest time to be either "now" or "Beginning of the current hour".

The timestamps adjust to show you the earliest and latest timestamps you specify.

You can use the Date & Time Range options to specify earliest and latest times using a calendar and timestamp.

6.2tutorial timerange datetime.png

For example, to troubleshoot an issue that took place September 30th at 8:42 PM, you can specify the earliest time to be 09/30/2014 08:40:00.000 and the latest time to be 09/30/2014 08:45:00.000.

Next steps

Continue reading to learn about search actions and search modes.

Last modified on 01 February, 2016
About the Search views
About search actions and modes

This documentation applies to the following versions of Splunk® Enterprise: 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters