Use time to find nearby events
The Splunk Web timeline and time ranges for search are based on event timestamps.
While searching for errors or troubleshooting an issue, looking at events that happened around the same time can help correlate results and find the root cause. This topic discusses how you can search for surrounding events using an event's timestamp and using the timeline.
Use time accelerators
The _time
field represents the timestamp of an event. When you run a search to retrieve events, the timestamp for each event is listed under the Time column.
You can click the timestamp of an event and open a dialog box containing controls, called a _time accelerator. Use the _time accelerator to run a new search that retrieves events chronologically close to that event.
You can search for events that occurred before the time, after the time, or at the time of the selected event's timestamp. Some examples are: +/- 30 seconds, +/- 1 hour, +/- 5 seconds, and so on.
Use the timeline
The timeline is a histogram of the number of events returned by a Splunk search over a chosen time range. The time range is broken up into smaller time intervals (such as seconds, minutes, hours, or days), and the count of events for each interval is displayed as a column.
The location of each column on the timeline corresponds to an instance when the events that match your search occurred. If there are no columns at a time period, no events were found then. The taller the column, the more events occurred at that time.
Spikes in the number of events or no events along the timeline can indicate time periods that you want to investigate.
The timeline has drilldown functionality similar to the table and chart drilldown. When you click on a column in the timeline, your search results update to show only the events represented by the column. If you double-click on a column, you re-run the search over the time range represented by the column. Then, you can search for all surrounding events at this time range.
Specify time ranges for real-time searches | About subsearches |
This documentation applies to the following versions of Splunk® Enterprise: 7.0.0, 7.0.1, 7.0.2, 7.0.3, 7.0.4, 7.0.5, 7.0.6, 7.0.7, 7.0.8, 7.0.9, 7.0.10, 7.0.11, 7.0.13
Feedback submitted, thanks!