Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Select time ranges to apply to your search

Use the time range picker to set time boundaries on your searches. You can restrict a search with preset time ranges, create custom time ranges, specify time ranges based on date or date and time, or work with advanced features in the time range picker. These options are described in the following sections.

Note: If you are located in a different timezone, time-based searches use the timestamp of the event from the Splunk instance that indexed the data.

Select from a list of Preset time ranges

The time range picker includes many built-in time ranges options that are already defined in the times.conf file. You can select from a list of Real-time windows, Relative time ranges, and search over All Time.

This image shows the list of Preset time ranges.

Define custom Relative time ranges

Use the Relative time range options to specify a custom time range for your search that is relative to Now. You can select from the list of time range units, "Seconds ago", "Minutes ago", and so on.

This image shows the Relative time ranges page. The Earliest drop-down is expanded to show the options.


The labels for Earliest and Latest update to match your selection.

This image shows Earliest is set to 10 Seconds Ago and Latest is set to Now.


The preview boxes below the fields update to the time range as you set it.

Read more about Relative time ranges in the next topic, Specify time modifiers in your search.

Define custom Real-time time ranges

The custom Real-time option enables you to specify the start time for your real-time time range window.

This image shows the window where you can specify  a custom real-time time range.

See Specify real-time time range windows in your search.

Define custom Date ranges

Use the custom Date Range option to specify calendar dates in your search. You can choose among options to return events: Between a beginning and end date, Before a date, and Since a date.

This image shows the window where you can specify a custom date range. The Between option is selected.

For these fields, you can type the date into the text box or select the date from a calendar.

This image shows the calendar from which you can specify a date.

Define custom Date & Time ranges

Use the custom Date & Time Range option to specify calendar dates and times for the beginning and ending of your search.

This image shows the window from which you can specify a date and a time range.

You can type the date into the text box or select the date from a calendar.

Use Advanced time range options

Use the Advanced option to specify the earliest and latest search times. You can write the times in UNIX time or relative time notation. The UNIX time value you enter is converted to local time. This timestamp is displayed under the text field so that you can verify your entry.

This image shows the Advanced time range window where you can specify the time range in UNIX time.

Customize the list of Preset time ranges

You can customize the set of time ranges that appear in the Presets list the time range picker in Splunk Web. You can create a time range based on an existing time range, or you can hide time ranges.

Create a time range based on an existing time range

The easiest way to create a new time range is to use an existing time range as the basis for a new time range. For example, the Relative time range list contains the Last 15 minutes time range. You want to create a time range for the last 30 minutes. You start by creating a duplicate, or clone, of the Last 15 minutes time range. In the clone, you change the Earliest setting from -15min to -30min.

  1. From the Settings menu, under the Knowledge list select User interface.
  2. In the User Interface window, select Time ranges.
  3. Locate the time range that you want to use.
  4. In the Actions column click Clone.
  5. A copy of the specifications for the time range appear. Make the changes to the time range specifications and click Save.

The new time range appears in the Relative list in the Presets menu.

Create a new Preset time range

You can create a new time range for the Presets menu. For example, you want to create a time range that shows searches yesterday from the hours of 12:00 to 15:00. You need to specify relative times in the Earliest and Latest fields. In the Earliest field you specify -1d@d+12h. In the Latest field you specify -1d@d+15h.

  1. From the Settings menu, under the Knowledge list select User interface.
  2. In the User Interface window, select Time ranges.
  3. Click New.
  4. Complete the fields in the Add New window and click Save.

The new time range appears in the Relative list in the Presets menu.

Hide a time range on the Presets list

  1. From the Settings menu, under the Knowledge list select User interface.
  2. In the User Interface window, select Time ranges.
  3. Locate the time range you want to hide. In the Status column click Disable.


Users with the Admin role, or a role with equivalent capabilities, can change time ranges manually in the times.conf file. Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. See How to edit a configuration file in the Admin manual.

  1. Open the local times.conf file for the Search app. For example, $SPLUNK_HOME/etc/apps/<app_name>/local.
  2. Create a stanza for the time range that you want to specify. For examples, see the times.conf reference in the Admin Manual.

If you are using Splunk Cloud and want to either hide a time range or create a new time range, open a Support ticket.

Change the default time range

The default time range for ad hoc searches in the Search & Reporting App is set to All time. An administrator can set the default time range globally, across all apps. See Change default values in the Admin Manual.

PREVIOUS
About searching with time
  NEXT
Specify time modifiers in your search

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.2.15, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.3.14, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.4.11, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters