Splunk® Enterprise

Search Manual

Splunk Enterprise version 7.1 is no longer supported as of October 31, 2020. See the Splunk Software Support Policy for details. For information about upgrading to a supported version, see How to upgrade Splunk Enterprise.

Select time ranges to apply to your search

Use the time range picker to set time boundaries on your searches. You can restrict a search with preset time ranges, create custom time ranges, specify time ranges based on date or date and time, or work with advanced features in the time range picker. These options are described in the following sections.

If you are located in a different timezone, time-based searches use the timestamp of the event from the Splunk instance that indexed the data. See How time zones are processed by the Splunk platform.

Select from a list of Preset time ranges

The time range picker includes many built-in time ranges options that are defined by default in the times.conf file. You can select from a list of Real-time windows, Relative time ranges, and search over All Time.

This screen capture shows the time range picker drop-down list. The Presets list is displayed.

Real-Time Preset time ranges

The number of concurrent real-time searches can greatly affect indexing performance. See About real-time searches and reports.

Users must have the Admin role to run and save real-time searches. For more information on managing roles and assigning roles to users, see Create and manage roles with Splunk Web in Securing Splunk Enterprise.

The Real-Time Preset time ranges apply to real-time searches and are listed in the following table. To learn about relative time modifiers, see Specify time modifiers in your search.

Real-Time Preset time range Description Equivalent relative time modifiers
30 second window Events in the last 30 second window. earliest_time = rt-30s

latest_time = rt

1 minute window Events in the last 1 minute window. earliest_time = rt-1m

latest_time = rt

5 minute window Events in the last 5 minute window. earliest_time = rt-5m

latest_time = rt

30 minute window Events in the last 30 minute window. earliest_time = rt-30m

latest_time = rt

1 hour window Events in the last 1 hour window. earliest_time = rt-1h

latest_time = rt

All time (real-time) Total events for all real-time searches. earliest_time = rt

latest_time = rt

Relative Preset time ranges

The Relative Preset time ranges are listed in the following table. To learn more about relative time modifiers, see Specify time modifiers in your search.

Relative Preset time range Description Equivalent relative time modifiers
Today Events from today. earliest_time = @d

latest_time = now

Week to date Events from this week to the current date. earliest_time = @w0

latest_time = now

Business week to date Events from this business week to the current date. Starts from the previous Monday at midnight (00:00:00) to now. earliest_time = @w1

latest_time = now

Month to date Events from this month to the current date. earliest_time = @mon

latest_time = now

Year to date Events from this year to the current date. earliest_time = @y

latest_time = now

Yesterday Events from yesterday to today. earliest_time = -1d@d

latest_time = @d

Previous week Events from the previous week. earliest_time = -7d@w0

latest_time = @w0

Previous business week Events from the previous business week. If you run a search with this time range on a Sunday, the earliest time value will be the previous Monday. However, if you run this time range on a Saturday, the earliest time will be Monday 2 weeks ago. earliest_time = -6d@w1

latest_time = -1d@w6

Previous month Events from the previous month. earliest_time = -1mon@mon

latest_time = @mon

Previous year Events from the complete calendar year of the previous year. For example, if you run a search on any day in 2024, search results include events from Jan 1, 2023 at 00:00:00 to Jan 1, 2024 at 00:00:00. earliest_time = -1y@y

latest_time = @y

Last 15 minutes Events from the last 15 minutes. earliest_time = -15m

latest_time = now

Last 60 minutes Events from the last 60 minutes. earliest_time = -60m@m

latest_time = now

Last 4 hours Events from the last 4 hours. earliest_time = -4h@m

latest_time = now

Last 24 hours Events from the last 24 hours. earliest_time = -24h@h

latest_time = now

Last 7 days Events from the last 7 days. earliest_time = -7d@h

latest_time = now

Last 30 days Events from the last 30 days. earliest_time = -30d@d

latest_time = now

Define custom Relative time ranges

Use Relative time range options to specify a custom time range for your search that is relative to Now or the Beginning of the current hour. You can select from the list of time range units: Seconds Ago, Minutes Ago, and so on.

This image shows the Relative time ranges page. The Earliest drop-down is expanded to show the options.

By default, Earliest is set to No Snap-to and Latest is set to Now. If you specify the snap-to option for Earliest or Latest, the time range will snap to beginning of the time frame that you select. For example, if you select Days Ago, the Earliest snap to value is Beginning of today.

This screen image shows the Relative option. For  "Earliest", the number 2 is typed in.  From the drop-down list, "Days Ago" is selected.  For "Latest", the default radio button "Now" is selected.

The preview boxes below the fields update to the time range as you make the selections.

To learn more about relative time ranges, see Specify time modifiers in your search.

Define custom Real-time time ranges

Users must have the Admin role to run and save real-time searches. For more information on managing roles and assigning roles to users, see Create and manage roles with Splunk Web in Securing Splunk Enterprise.

In Splunk Cloud Platform on Victoria Experience, real-time searches are enabled by default. In Splunk Cloud Platform on Classic Experience, you must open a support ticket to enable real-time search. For more information, see About real-time searches and reports in the Search Manual.

Users can use the real-time option to specify a custom Earliest time for a real-time search. Because this time range is for a real-time search, a Latest time is not relevant.

This image shows the window where you can specify a custom time range for a real-time search. The default time range is Earliest 24 hours.

To learn more about time ranges for real-time searches, see Specify real-time time range windows in your search.

Define custom Date ranges

Use the Date Range option to specify custom calendar dates in your search. You can choose among options to return events: Between a beginning and end date, Before a date, and Since a date.

This image shows the window where you can specify a custom date range. The Between option is selected.

For these fields, you can type the date into the text box or select the date from a calendar.

This image shows the calendar from which you can specify a date.

Define custom Date & Time ranges

Use the Date & Time Range option to specify custom calendar dates and times for the beginning and ending of your search.

This image shows the window from which you can specify a date and a time range.

You can type the date into the text box or select the date from a calendar.

Use Advanced time range options

Use the Advanced option to specify the earliest and latest search times. You can write the times in UNIX time or relative time notation, such as -3d@d. The UNIX time value you type is converted to local time.

The UNIX time or relative time that you specify is displayed as a timestamp under the text field so that you can verify your entry.

This image shows the Advanced time range window. Relative times are specific in both the Earliest field and Latest field. The time of -3d@d is specified in the Earliest field. The time of -h@h is specified in the Latest field.

Customize the list of Preset time ranges

You can customize the set of time ranges that appear in the Presets list the time range picker in Splunk Web. You can create a time range based on an existing time range, or you can hide time ranges.

Create a time range based on an existing time range

The easiest way to create a new time range is to use an existing time range as the basis for a new time range. For example, the Relative time range list contains the Last 15 minutes time range. You want to create a time range for the last 30 minutes. You start by creating a duplicate, or clone, of the Last 15 minutes time range. In the clone, you change the Earliest setting from -15min to -30min.

  1. From the Settings menu, under the Knowledge list select User interface.
  2. In the User Interface window, select Time ranges.
  3. Locate the time range that you want to use.
  4. In the Actions column click Clone.
  5. A copy of the specifications for the time range appear. Make the changes to the time range specifications and click Save.

The new time range appears in the Relative list in the Presets menu.

Create a new Preset time range

You can create a new time range for the Presets menu. For example, you want to create a time range that shows searches yesterday from the hours of 12:00 to 15:00. You need to specify relative times in the Earliest and Latest fields. In the Earliest field you specify -1d@d+12h. In the Latest field you specify -1d@d+15h.

  1. From the Settings menu, under the Knowledge list select User interface.
  2. In the User Interface window, select Time ranges.
  3. Click New.
  4. Complete the fields in the Add New window and click Save.

The new time range appears in the Relative list in the Presets menu.

Hide a time range on the Presets list

  1. From the Settings menu, under the Knowledge list select User interface.
  2. In the User Interface window, select Time ranges.
  3. Locate the time range you want to hide. In the Status column click Disable.

Setting default time ranges for the API or CLI

You can set time ranges manually in the times.conf file when you want to specify a time range for a REST API endpoint or for the command line interface (CLI).

Splunk Cloud Platform
To set the default time ranges for the API, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support. Splunk Cloud Platform users don't have shell access to the Splunk Cloud Platform deployment and can't use the CLI to set default time ranges.
Splunk Enterprise
Prerequisites
  • Only users with file system access, such as system administrators, can change time ranges manually in the times.conf file.
  • Review the steps in How to edit a configuration file in the Admin Manual.

Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.

Steps
  1. Open the local times.conf file for the Search app. For example, $SPLUNK_HOME/etc/apps/<app_name>/local.
  2. Create a stanza for the time range that you want to specify. For examples, see the times.conf reference in the Admin Manual.

Change the default time range

The default time range for ad hoc searches in the Search & Reporting App is set to Last 24 hours.

In Splunk Enterprise, an administrator can set the default time range globally, across all apps. See Change default values in the Splunk Enterprise Admin Manual.

In Splunk Cloud Platform, contact Splunk customer support to request a change to the default time range.

See also

Related information
About searching with time
Specify time ranges for real-time searches
How time zones are processed by the Splunk platform
Last modified on 19 October, 2023
About searching with time   Specify time modifiers in your search

This documentation applies to the following versions of Splunk® Enterprise: 7.1.0, 7.1.1, 7.1.2, 7.1.3, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.1.8, 7.1.9, 7.1.10, 7.2.0, 7.2.1, 7.2.2, 7.2.3, 7.2.4, 7.2.5, 7.2.6, 7.2.7, 7.2.8, 7.2.9, 7.2.10, 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 7.3.6, 7.3.7, 7.3.8, 7.3.9, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters