Splunk® Enterprise

Search Tutorial

Acrobat logo Download manual as PDF

Splunk Enterprise version 6.x is no longer supported as of October 23, 2019. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Acrobat logo Download topic as PDF

Specifying time ranges

Restricting, or filtering, your search criteria using a time range is the easiest and most effective way to optimize your searches.

You can use time ranges to troubleshoot an issue, if you know the approximate timeframe when the issue occurred. Narrow the time range of the search to that timeframe. For example, to investigate an incident that occurred yesterday, select Yesterday or Last 24 hours. To investigate an incident that occurred 10 minutes ago, select Last 15 minutes or Last 60 minutes. Then, adjust the time range as needed in your investigation.

Let's explore the data from the Buttercup Games online store using the different time ranges.

1. To start a new search, click Search in the Apps bar.

2. To search for a keyword in your events, type buttercupgames in the Search bar and press Enter.


The keyword is highlighted in the events that are returned.

This screen image shows the events returned from searching for "buttercupgames". The number of events returned appear in two places, directly below the search bar and on the Events tab. In this screen image a red oval is drawn around the number of events returned.

Notice that thousands of events are returned. You use the time range picker, which is to the right of the Search bar, to set time boundaries on your searches.

The default time range is All time. You can restrict the search to one of the preset time ranges, or use a custom time range.

Preset time ranges

The time range picker has many preset time ranges that you can select from.

1. Click All-time in the time range picker to see a list of the time range options.

The Presets option contains Real-time, Relative, and Other time ranges.
  • Real-time searches display a live, streaming view of events. You can specify a window over which to retrieve events.
  • Historical searches display events from the past. You can restrict your search by specifying a relative time range or a specific date and time range.
Because the data for the Buttercup Games online store is a snapshot of historical data, you will use the Relative and Custom time ranges in this tutorial.
This screen capture shows the time range picker drop-down list. The list that is displayed is the Presets list.

2. In the Presets option in the Relative list, click Yesterday.

The number of events returned should be smaller. You changed the time range from All-time to Yesterday.

Note: If no events are returned, it is probably because you downloaded the tutorialdata.zip file more than one day ago. When you download the ZIP file, timestamps are generated and added to the data. The earliest timestamp on the data is the date you downloaded the file. Therefore there are no events that have a timestamp for yesterday. Try a different Relative time range, such as Previous week or Last 7 days.

Custom time ranges

Use a custom time range when one of the preset time ranges is not precise enough for your search.

Specify relative time ranges

You can use the Relative option to specify a custom time range.

1. Open the time range picker.

2. To run a search over the last two hours, select the Relative time range option.

This screen image shows the Relative option. For "Earliest", the number 2 is typed in.  From the drop-down list, "Hours Ago" is selected.  For "Latest", the default radio button "now" is selected.

3. For Earliest, type 2 in the field, and select Hours Ago from the drop-down list.

4. For Latest, the default is now. Select Beginning of the current hour.

5. Click Apply.

The timestamps adjust to show you the earliest and latest timestamps that you specify.

As mentioned before, if no events are returned, select a different time range, such 4 Days Ago or 1 Week Ago.

Specify date and time ranges

You can also use the Date Range and Date & Time Range options to specify a custom time range.

  • Use Between to specify that events must occur between an earliest and latest date.
  • Use Before to specify that events must occur before a date.
  • Use Since to specify that events must occur after a date.

You use the Date Range option to specify dates. The following screen image shows the calendar that you can use to select a date.

This screen image shows the calendar that appears when you click in one of the date fields.

You use the Date & Time Range option when you want to specify both a date and a time. The following screen image shows the "Between", "Before", or "Since" options.

This screen image shows that you can specify that the date appear "Between", "Before", or "Since" the specified dates.

For example, to troubleshoot an issue that took place February 28th 2016 at 8:42 PM, specify the earliest time of 02/28/2016 20:40:00.000 and the latest time of 02/28/2016 20:45:00.000 to show the events immediately before and after the issue took place.

Next step

This completes Part 3 of the Search Tutorial.

You have explored the Search app views and learned how important it is to specify time ranges with your searches. Continue to Part 4: Searching the tutorial data.

See also

Change the default time range in the Search Manual

Last modified on 21 September, 2016
Exploring the Search views
Basic searches and search results

This documentation applies to the following versions of Splunk® Enterprise: 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters