Related Answers
Download topic as PDF
Time modifiers
Use time modifiers to customize the time range of a search or change the format of the timestamps in the search results.
_time and _indextime fields
When an event is processed by Splunk software, its timestamp is saved as the default field _time. This timestamp, which is the time when the event occurred, is saved in UNIX time notation. Searching with relative time modifiers, earliest or latest, finds every event with a timestamp beginning, ending, or between the specified timestamps.
For example, when you search for earliest=@d, the search finds every event with a _time value since midnight. This example uses @d, which is a date format variable. See Date and time format variables.
You also have the option of searching for events based on when they were indexed. The UNIX time is saved in the _indextime field. Similar to earliest and latest for the _time field, you can use the relative time modifiers _index_earliest and _index_latest to search for events based on _indextime. For example, if you wanted to search for events indexed in the previous hour, use: _index_earliest=-h@h _index_latest=@h.
Note: When using index-time based modifiers such as _index_earliest and _index_latest, your search must also have an event-time window which will retrieve the events. In other words, chunks of events might be ruled out based on the non index-time window as well as the index-time window. To be certain of retrieving every event based on index-time, you must run your search using All Time.
List of time modifiers
Use the earliest and latest modifiers to specify custom and relative time ranges. You can specify an exact time such as earliest="10/5/2016:20:00:00", or a relative time such as earliest=-h or latest=@w6.
When specifying relative time, you can use the now modifier to refer to the current time.
| Modifier | Syntax | Description |
|---|---|---|
| earliest | earliest=[+|-]
|
Specify the earliest _time for the time range of your search.
|
| _index_earliest | _index_earliest=[+|-]
|
Specify the earliest _indextime for the time range of your search. |
| _index_latest | _index_latest=[+|-]
|
Specify the latest _indextime for the time range of your search. |
| latest | latest=[+|-]
|
Specify the latest time for the _time range of your search. |
| now | now()
|
Refers to the current time. If set to earliest, now() is the start of the search. |
| time | time()
|
In real-time searches, time() is the current machine time. |
For more information about customizing your search window, see Specify real-time time range windows in your search in the Search Manual.
How to specify relative time modifiers
You can define the relative time in your search with a string of characters that indicate time amount (integer and unit). You can also specify a "snap to" time unit, which is specified with the @ symbol followed by a time unit.
The syntax for using time modifiers is [+|-]<time_integer><time_unit>@<time_unit>
The steps to specify a relative time modifier are:
- Indicate the time offset from the current time.
- Define the time amount, which is a number and a unit.
- Specify a "snap to" time unit. The time unit indicates the nearest or latest time to which your time amount rounds down.
Indicate the time offset
Begin your string with a plus (+) or minus (-) to indicate the offset from the current time.
Define the time amount
Define your time amount with a number and a unit. The supported time units are listed in the following table.
| Time unit | Valid unit abbreviations |
|---|---|
| second | s, sec, secs, second, seconds |
| minute | m, min, minute, minutes |
| hour | h, hr, hrs, hour, hours |
| day | d, day, days |
| week | w, week, weeks |
| month | mon, month, months |
| quarter | q, qtr, qtrs, quarter, quarters |
| year | y, yr, yrs, year, years |
For example, to start your search an hour ago, use either of the following time modifiers.
earliest=-h
or
earliest=-60m
When specifying single time amounts, the number one is implied. An 's' is the same as '1s', 'm' is the same as '1m', 'h' is the same as '1h', and so forth.
Specify a snap to time unit
You can specify a snap to time unit. The time unit indicates the nearest or latest time to which your time amount rounds down. Separate the time amount from the "snap to" time unit with an "@" character.
- You can use any of time units listed previously. For example:
- @w, @week, and @w0 for Sunday
- @month for the beginning of the month
- @q, @qtr, or @quarter for the beginning of the most recent quarter (Jan 1, Apr 1, Jul 1, or Oct 1).
- You can specify a day of the week: w0 (Sunday), w1, w2, w3, w4, w5 and w6 (Saturday). For Sunday, you can specify w0 or w7.
- You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions. For example,
-2h@dapplies a 2 hour offset to a snap to the beginning of today (12:00 A.M.), resulting in a time of 2am yesterday.- The Splunk platform always applies the offset before it applies the snap. In other words, the left-hand side of the @ symbol is applied before the right-hand side.
- When snapping to the nearest or latest time, Splunk software always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.
- If you do not specify a time offset before the "snap to" amount, Splunk software interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use
@w6to "snap to Saturday", the resulting time is the previous Saturday at 12:01 A.M.
Examples
1. Run a search over all time
If you want to search events from the start of UNIX time, use earliest=1.
When earliest=1 and latest=now() are used, the search runs over all time.
...earliest=1 latest=now()
Specifying latest=now() does not return future events.
To return future events, specify latest=<a big number>. Future events are events that contain timestamps later than the current time now().
2. Search the events from the beginning of the current week
earliest=@w0
3. Search the events from the last full business week
earliest=-5d@w1 latest=@w6
4. Search with an exact date as a boundary
With a boundary such as from November 15 at 8 PM to November 22 at 8 PM, use the timeformat %m/%d/%Y:%H:%M:%S.
earliest="11/15/2017:20:00:00" latest="11/22/2017:20:00:00"
5. Specify multiple time windows
You can specify multiple time windows using the timeformat %m/%d/%Y:%H:%M:%S. For example to find events from 5-6 PM or 7-8 PM on specific dates, use the following syntax.
(earliest="1/22/2018:17:00:00" latest="1/22/2018:18:00:00") OR (earliest="1/22/2018:19:00:00" latest="1/22/2018:20:00:00")
Other time modifiers
These search time modifiers are still valid, but might be removed and their function no longer supported in a future release.
| Modifier | Syntax | Description |
|---|---|---|
| daysago | daysago=<int>
|
Search events within the last integer number of days. |
| enddaysago | enddaysago=<int>
|
Set an end time for an integer number of days before Now. |
| endhoursago | endhoursago=<int>
|
Set an end time for an integer number of hours before Now. |
| endminutesago | endminutesago=<int>
|
Set an end time for an integer number of minutes before Now. |
| endmonthsago | endmonthsago=<int>
|
Set an end time for an integer number of months before Now. |
| endtime | endtime=<string>
|
Search for events before the specified time (exclusive of the specified time). Use timeformat to specify how the timestamp is formatted. |
| endtimeu | endtimeu=<int>
|
Search for events before the specific UNIX time. |
| hoursago | hoursago=<int>
|
Search events within the last integer number of hours. |
| minutesago | minutesago=<int>
|
Search events within the last integer number of minutes. |
| monthsago | monthsago=<int>
|
Search events within the last integer number of months. |
| searchtimespandays | searchtimespandays=<int>
|
Search within a specified range of days, expressed as an integer. |
| searchtimespanhours | searchtimespanhours=<int>
|
Search within a specified range of hours, expressed as an integer. |
| searchtimespanminutes | searchtimespanminutes=<int>
|
Search within a specified range of minutes, expressed as an integer. |
| searchtimespanmonths | searchtimespanmonths=<int>
|
Search within a specified range of months, expressed as an integer. |
| startdaysago | startdaysago=<int>
|
Search the specified number of days before the present time. |
| starthoursago | starthoursago=<int>
|
Search the specified number of hours before the present time. |
| startminutesago | startminutesago=<int>
|
Search the specified number of minutes before the present time. |
| startmonthsago | startmonthsago=<int>
|
Search the specified number of months before the present time. |
| starttime | starttime=<timestamp>
|
Search from the specified date and time to the present, inclusive of the specified time. |
| starttimeu | starttimeu=<int>
|
Search for events starting from the specific UNIX time. |
| timeformat | timeformat=<string>
|
Set the timeformat for the starttime and endtime modifiers. By default: timeformat=%m/%d/%Y:%H:%M:%S
|
|
PREVIOUS Date and time format variables |
NEXT abstract |
This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6
Comments
In the column on the right side there is a link-reference called "_time and _indextime fields" that doesn't seem to go anywhere.
Vrobison
Thank you for pointing this out. We agree that it can be confusing, since people use different date formats. I've updated the examples in this topic. I will look for other topics that show dates and update them as well.
It would be useful if you always use date/time examples that demonstrate the format without ambiguity by using day of month values greater than 12 - this is a common point of confusion.
e.g. earliest="11/23/2017:20:00:00" latest="11/24/2017:20:00:00"
not earliest="11/5/2017:20:00:00" latest="11/12/2017:20:00:00"
Pyro wood
The right column of every doc page is a TOC of the sections on the page. Since the very first section is already visible when you open the page, then the link doesn't appear to work. However, if you scroll down to another section, clicking on that link will take you back up to that section.