Specifying time ranges
Restricting, or filtering, your search criteria using a time range is the easiest and most effective way to optimize your searches.
You can use time ranges to troubleshoot an issue, if you know the approximate timeframe when the issue occurred. Narrow the time range of the search to that timeframe. For example, to investigate an incident that occurred yesterday, select Yesterday or Last 24 hours. To investigate an incident that occurred 10 minutes ago, select Last 15 minutes or Last 60 minutes. Then, adjust the time range as needed in your investigation.
Let's explore the data from the Buttercup Games online store using the different time ranges.
- To start a new search, click Search in the Apps bar.
- To search for a keyword in your events, type
buttercupgamesin the Search bar and press Enter.
Notice that thousands of events are returned. You use the time range picker, which is to the right of the Search bar, to set time boundaries on your searches.
The default time range is All time. You can restrict the search to one of the preset time ranges, or use a custom time range.
Preset time ranges
The time range picker has many preset time ranges that you can select from.
- Click All-time in the time range picker to see a list of the time range options.
- The Presets option contains Real-time, Relative, and Other time ranges.
- Real-time searches display a live, streaming view of events. You can specify a window over which to retrieve events.
- Historical searches display events from the past. You can restrict your search by specifying a relative time range or a specific date and time range.
- In the Presets option in the Relative list, click Yesterday.
- The number of events returned should be smaller. You changed the time range from All-time to Yesterday.
Note: If no events are returned, it is probably because you downloaded the
tutorialdata.zip file more than one day ago. When you download the ZIP file, timestamps are generated and added to the data. The earliest timestamp on the data is the date you downloaded the file. Therefore there are no events that have a timestamp for yesterday. Try a different Relative time range, such as Previous week or Last 7 days.
Custom time ranges
Use a custom time range when one of the preset time ranges is not precise enough for your search.
Specify relative time ranges
You can use the Relative option to specify a custom time range.
- Open the time range picker.
- To run a search over the last two hours, select the Relative time range option.
- For Earliest, type
2in the field, and select Hours Ago from the drop-down list.
- For Latest, the default is now. Select Beginning of the current hour.
- Click Apply.
The timestamps adjust to show you the earliest and latest timestamps that you specify.
As mentioned before, if no events are returned, select a different time range, such 4 Days Ago or 1 Week Ago.
Specify date and time ranges
You can also use the Date Range and Date & Time Range options to specify a custom time range.
- Use Between to specify that events must occur between an earliest and latest date.
- Use Before to specify that events must occur before a date.
- Use Since to specify that events must occur after a date.
You use the Date Range option to specify dates. The following screen image shows the calendar that you can use to select a date.
You use the Date & Time Range option when you want to specify both a date and a time. The following screen image shows the "Between", "Before", or "Since" options.
For example, to troubleshoot an issue that took place September 20th 2016 at 8:42 PM, specify the earliest time of 09/20/2016 20:40:00.000 and the latest time of 09/20/2016 20:45:00.000 to show the events immediately before and after the issue took place.
This completes Part 3 of the Search Tutorial.
You have explored the Search app views and learned how important it is to specify time ranges with your searches. Continue to Part 4: Searching the tutorial data.
Change the default time range in the Search Manual
Exploring the Search views
Basic searches and search results
This documentation applies to the following versions of Splunk® Enterprise: 6.5.0, 6.5.1, 6.5.2, 6.5.3, 6.5.4, 6.5.5, 6.5.6, 6.5.7, 6.5.8, 6.5.9, 6.5.10