Splunk® Enterprise

Search Manual

Download manual as PDF

This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Download topic as PDF

Specify time modifiers in your search

When searching or saving a search, you can specify absolute and relative time ranges using the following time modifiers:

earliest=<time_modifier>
latest=<time_modifier>

An absolute time range uses specific dates and times, for example, from 12 A.M. November 1, 2016 to 12 A.M. November 13, 2016.

A relative time range is dependent on when the search is run. For example, a relative time range of -60m means 60 minutes ago. If the current time is 3:15 P.M., the search returns events from the last 60 minutes, from 2:15 P.M. to 3:15 P.M.

The current time is referred to as Now.

Specify absolute time ranges

For exact time ranges, the syntax for the time modifiers is %m/%d/%Y:%H:%M:%S. For example, the following search specifies a time range from 12 A.M. October 19, 2016 to 8 A.M. October 27, 2016:

earliest=10/19/2016:0:0:0 latest=10/27/2016:08:0:0

If you specify only the earliest time modifier, the latest is set to the current time Now by default. If you specify a latest time modifier, you must also specify an earliest time.

The time range that you specify using a time modifier in the Search bar overrides the time range that is selected in the time range picker.

This image shows the time range picker in the Search app. The default time range of "All time" is shown in the time range picker.

Note: Time ranges specified directly in the search do not apply to subsearches. Time ranges selected from the time range picker do apply to subsearches.

Specify relative time ranges

You define the relative time in your search by using a string of characters that indicate the amount of time. The syntax is an integer and a time unit [+|-]<time_integer><time_unit>. For example earliest=-1week.

1. Begin the time range with a minus ( - ) or a plus ( + ) to indicate the offset before or after the time amount.

2. Specify the amount of time by using a number and a time unit. When you specify single time amounts, the number is implied. For example s is the same as 1s, m is the same as 1m, and so on. The supported time units are listed in the following table.

Time range Valid values
seconds s, sec, secs, second, seconds
minutes m, min, minute, minutes
hours h, hr, hrs, hour, hours
days d, day, days
weeks w, week, weeks
months mon, month, months
quarters q, qtr, qtrs, quarter, quarters
years y, yr, yrs, year, years

When specifying relative time, use now().

Special time units

The following abbreviations are for special cases of time units and snap time offsets.

Time Unit Description
earliest=1 To search events from the start of UNIX time, use earliest=1. Specifying earliest=0 in the search string indicates that time is not used in the search.

When earliest=1 and latest=now or latest=<a large number>, the search runs over All time. The difference is that:

  • Specifying latest=now,which is the default, does not return future events.
  • Specifying latest=<a big number> returns future events, which are events that contain timestamps later than the current time, now().
latest=now() Specifies that the search starts or ends at the current time.

Examples of relative time modifiers

For the following examples, the current time is Wednesday, February 5, 2016 at 01:37:05 P.M. Note that 24h is not always equivalent to 1d, because of Daylight Savings Time.

Time modifier Description Resulting time
now() Now, the current time Wednesday, February 5 2016, 01:37:05 PM
-60m 60 minutes ago Wednesday, February 5 2016, 12:37:05 PM
-1h 1 hour ago Wednesday, February 5 2016, 12:00:00 PM
-1d Yesterday Tuesday, February 4 2016, 12:00:00 AM
-24h 24 hours ago, yesterday Tuesday, February 4 2016, 01:37:05 PM
-7d 7 days ago Wednesday, January 28 2016, 01:37:00 PM
+1d Tomorrow Thursday, February 6 2016, 12:00:00 AM
+24h 24 hours from now, tomorrow Thursday, February 6 2016, 01:37:05 PM

Examples of searches with relative time modifiers

Example 1: Search for web access errors from the last 7 days to the current time of your search, Now.

eventtype=webaccess error earliest=-1w

If the current time is 09:00, this search returns matching events starting from 7 days ago at 09:00 and ending at 09:00 today. This is equivalent to specifying earliest=-7d.

Example 2: Search for web access errors from 2 to 4 hours ago.

eventtype=webaccess error earliest=-4h latest=-2h

If the current time is 14:00, this search returns matching events starting from 10:00 AM to 12:00 PM today.

PREVIOUS
Select time ranges to apply to your search
  NEXT
Specify time ranges for real-time searches

This documentation applies to the following versions of Splunk® Enterprise: 6.2.0, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 6.2.9, 6.2.10, 6.2.11, 6.2.12, 6.2.13, 6.2.14, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.3.8, 6.3.9, 6.3.10, 6.3.11, 6.3.12, 6.3.13, 6.4.0, 6.4.1, 6.4.2, 6.4.3, 6.4.4, 6.4.5, 6.4.6, 6.4.7, 6.4.8, 6.4.9, 6.4.10, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters