Splunk® Enterprise

Search Reference

Download manual as PDF

Download topic as PDF

Time modifiers

Use time modifiers to customize the time range of a search or change the format of the timestamps in the search results.

Searching the time and fields

When an event is processed by Splunk software, its timestamp is saved as the default field _time. This timestamp, which is the time when the event occurred, is saved in UNIX time notation. Searching with relative time modifiers, earliest or latest, finds every event with a timestamp beginning, ending, or between the specified timestamps.

For example, when you search for earliest=@d, the search finds every event with a _time value since midnight. This example uses @d, which is a date format variable. See Date and time format variables.

You also have the option of searching for events based on when they were indexed. The UNIX time is saved in the _indextime field. Similar to earliest and latest for the _time field, you can use the relative time modifiers _index_earliest and _index_latest to search for events based on _indextime. For example, if you wanted to search for events indexed in the previous hour, use: _index_earliest=-h@h _index_latest=@h.

Note: When using index-time based modifiers such as _index_earliest and _index_latest, your search must also have an event-time window which will retrieve the events. In other words, chunks of events might be ruled out based on the non index-time window as well as the index-time window. To be certain of retrieving every event based on index-time, you must run your search using All Time.

List of time modifiers

Use the earliest and latest modifiers to specify custom and relative time ranges. You can specify an exact time such as earliest="10/5/2016:20:00:00", or a relative time such as earliest=-h or latest=@w6.

When specifying relative time, you can use the now modifier to refer to the current time.

Modifier Syntax Description
earliest earliest=[+|-]

<time_integer><time_unit>@<time_unit>

Specify the earliest _time for the time range of your search.


Use earliest=1 to specify the UNIX epoch time 1, which is UTC January 1, 1970 at 12:00:01 AM.

_index_earliest _index_earliest=[+|-]

<time_integer><time_unit>@<time_unit>

Specify the earliest _indextime for the time range of your search.
_index_latest _index_latest=[+|-]

<time_integer><time_unit>@<time_unit>

Specify the latest _indextime for the time range of your search.
latest latest=[+|-]

<time_integer><time_unit>@<time_unit>

Specify the latest time for the _time range of your search.
now now() Refers to the current time. If set to earliest, now() is the start of the search.
time time() In real-time searches, time() is the current machine time.

For more information about customizing your search window, see Specify real-time time range windows in your search in the Search Manual.

How to specify relative time modifiers

You can define the relative time in your search with a string of characters that indicate time amount (integer and unit). You can also specify a "snap to" time unit, which is specified with the @ symbol followed by a time unit.

The syntax for using time modifiers is [+|-]<time_integer><time_unit>@<time_unit>

The steps to specify a relative time modifier are:

  1. Indicate the time offset from the current time.
  2. Define the time amount, which is a number and a unit.
  3. Specify a "snap to" time unit. The time unit indicates the nearest or latest time to which your time amount rounds down.

Indicate the time offset

Begin your string with a plus (+) or minus (-) to indicate the offset from the current time.

Define the time amount

Define your time amount with a number and a unit. The supported time units are listed in the following table.

Time unit Valid unit abbreviations
second s, sec, secs, second, seconds
minute m, min, minute, minutes
hour h, hr, hrs, hour, hours
day d, day, days
week w, week, weeks
month mon, month, months
quarter q, qtr, qtrs, quarter, quarters
year y, yr, yrs, year, years

For example, to start your search an hour ago, use either of the following time modifiers.

earliest=-h

or

earliest=-60m

When specifying single time amounts, the number one is implied. An 's' is the same as '1s', 'm' is the same as '1m', 'h' is the same as '1h', and so forth.

Specify a snap to time unit

You can specify a snap to time unit. The time unit indicates the nearest or latest time to which your time amount rounds down. Separate the time amount from the "snap to" time unit with an "@" character.

  • You can use any of time units listed previously. For example:
    • @w, @week, and @w0 for Sunday
    • @month for the beginning of the month
    • @q, @qtr, or @quarter for the beginning of the most recent quarter (Jan 1, Apr 1, Jul 1, or Oct 1).
  • You can specify a day of the week: w0 (Sunday), w1, w2, w3, w4, w5 and w6 (Saturday). For Sunday, you can specify w0 or w7.
  • You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions. For example, @d-2h snaps to the beginning of today (12 AM or midnight), and then applies the time offset of -2h, This results in a time of 10 PM yesterday.
    • The Splunk platform always applies the offset before it applies the snap. In other words, the left-hand side of the @ symbol is applied before the right-hand side.
  • When snapping to the nearest or latest time, Splunk software always snaps backwards or rounds down to the latest time not after the specified time. For example, if it is 11:59:00 and you "snap to" hours, you will snap to 11:00 not 12:00.
  • If you do not specify a time offset before the "snap to" amount, Splunk software interprets the time as "current time snapped to" the specified amount. For example, if it is currently 11:59 PM on Friday and you use @w6 to "snap to Saturday", the resulting time is the previous Saturday at 12:01 A.M.

Examples

1. Run a search over all time

If you want to search events from the start of UNIX time, use earliest=1.

When earliest=1 and latest=now() are used, the search runs over all time.

...earliest=1 latest=now()

Specifying latest=now() does not return future events.

To return future events, specify latest=<a_big_number>. Future events are events that contain timestamps later than the current time now().

2. Search the events from the beginning of the current week

earliest=@w0


3. Search the events from the last full business week

earliest=-5d@w1 latest=@w6


4. Search with an exact date as a boundary

With a boundary such as from November 15 at 8 PM to November 22 at 8 PM, use the timeformat %m/%d/%Y:%H:%M:%S.

earliest="11/15/2017:20:00:00" latest="11/22/2017:20:00:00"

5. Specify multiple time windows using a fixed date time format

You can specify multiple time windows using the timeformat %m/%d/%Y:%H:%M:%S. For example to find events from 5-6 PM or 7-8 PM on specific dates, use the following syntax.

(earliest="1/22/2018:17:00:00" latest="1/22/2018:18:00:00") OR (earliest="1/22/2018:19:00:00" latest="1/22/2018:20:00:00")

6. Specify multiple time windows using a relative time format

You can specify multiple time windows using the time modifiers and snap-to with a relative time. For example to find events for the last 24 hours but omit the events from Midnight to 1:00 A.M., use the following syntax:

((earliest=-24h latest<@d) OR (earliest>=@d+1h))

Other time modifiers

These search time modifiers are still valid, but might be removed and their function no longer supported in a future release.

Modifier Syntax Description
daysago daysago=<int> Search events within the last integer number of days.
enddaysago enddaysago=<int> Set an end time for an integer number of days before Now.
endhoursago endhoursago=<int> Set an end time for an integer number of hours before Now.
endminutesago endminutesago=<int> Set an end time for an integer number of minutes before Now.
endmonthsago endmonthsago=<int> Set an end time for an integer number of months before Now.
endtime endtime=<string> Search for events before the specified time (exclusive of the specified time). Use timeformat to specify how the timestamp is formatted.
endtimeu endtimeu=<int> Search for events before the specific UNIX time.
hoursago hoursago=<int> Search events within the last integer number of hours.
minutesago minutesago=<int> Search events within the last integer number of minutes.
monthsago monthsago=<int> Search events within the last integer number of months.
searchtimespandays searchtimespandays=<int> Search within a specified range of days, expressed as an integer.
searchtimespanhours searchtimespanhours=<int> Search within a specified range of hours, expressed as an integer.
searchtimespanminutes searchtimespanminutes=<int> Search within a specified range of minutes, expressed as an integer.
searchtimespanmonths searchtimespanmonths=<int> Search within a specified range of months, expressed as an integer.
startdaysago startdaysago=<int> Search the specified number of days before the present time.
starthoursago starthoursago=<int> Search the specified number of hours before the present time.
startminutesago startminutesago=<int> Search the specified number of minutes before the present time.
startmonthsago startmonthsago=<int> Search the specified number of months before the present time.
starttime starttime=<timestamp> Search from the specified date and time to the present, inclusive of the specified time.
starttimeu starttimeu=<int> Search for events starting from the specific UNIX time.
timeformat timeformat=<string> Set the timeformat for the starttime and endtime modifiers. By default: timeformat=%m/%d/%Y:%H:%M:%S
PREVIOUS
Date and time format variables 		  NEXT
abstract

This documentation applies to the following versions of Splunk® Enterprise: 6.6.0, 6.6.1, 6.6.2, 6.6.3, 6.6.4, 6.6.5, 6.6.6, 6.6.7, 6.6.8, 6.6.9, 6.6.10, 6.6.11, 6.6.12, 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13, 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 8.0.0, 8.0.1

Comments

Need to clarify that "mon" is somewhat inexact. For example: on Oct 31, "-1mon" will return Oct 1 and "-13mon+13mon@mon" and "-12mon+13mon@mon" will both return Nov 1.

Mlf
October 31, 2019

Pyro wood
The right column of every doc page is a TOC of the sections on the page. Since the very first section is already visible when you open the page, then the link doesn't appear to work. However, if you scroll down to another section, clicking on that link will take you back up to that section.

Lstewart splunk, Splunker
February 11, 2019

In the column on the right side there is a link-reference called "_time and _indextime fields" that doesn't seem to go anywhere.

Pyro wood
January 31, 2019

Vrobison
Thank you for pointing this out. We agree that it can be confusing, since people use different date formats. I've updated the examples in this topic. I will look for other topics that show dates and update them as well.

Lstewart splunk, Splunker
December 5, 2018

It would be useful if you always use date/time examples that demonstrate the format without ambiguity by using day of month values greater than 12 - this is a common point of confusion.
e.g. earliest="11/23/2017:20:00:00" latest="11/24/2017:20:00:00"
not earliest="11/5/2017:20:00:00" latest="11/12/2017:20:00:00"

Vrobison
November 30, 2018

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters