Specify time modifiers in your search
When searching or saving a search, you can specify absolute and relative time ranges using the following time modifiers:
earliest=<time_modifier> latest=<time_modifier>
An absolute time range uses specific dates and times, for example, from 12 A.M. April 1, 2022 to 12 A.M. April 13, 2022.
A relative time range is dependent on when the search is run. For example, a relative time range of -60m means 60 minutes ago. If the current time is 3 P.M., the search returns events from the last 60 minutes, or 2 P.M. to 3 P.M. today.
The current time is referred to as "now".
earliest
and latest
time modifiers for real-time search that use the rt
prefix, for example earliest=-rt-5m latest=rt
, are not intended for use in search strings. Specifying earliest
and latest
time modifiers using real-time modifier syntax in a search string returns an error. For more information, see Specify time ranges for real time searches.
Time modifiers and the Time Range Picker
A time range that you specify in the Search bar, or in a saved search, overrides the time range that is selected in the Time Range Picker.
For example, if you specify a time range of Last 24 hours
in the Time Range Picker and in the Search bar you specify earliest=-30m latest=now
, the search only looks at events that have a timestamp within the last 30 minutes.
This applies to any of the options you can select in the Time Range Picker,
However, this does not apply to subsearches.
Time ranges and subsearches
Time ranges selected from the Time Range Picker apply to the main search and to subsearches, unless a time range is specified in the Search bar.
Time ranges that you specify directly in the Search bar apply only to that portion of the search.
- The time ranges specified in the main search do not apply to subsearches.
- Time time ranges specified in a subsearch applies only to that subsearch. The time range does not apply to the main search or any other subsearch.
Specify absolute time ranges
For exact time ranges, the syntax for the time modifiers is %m/%d/%Y:%H:%M:%S
. For example, the following search specifies a time range from 12 A.M. April 19, 2022 to 12 A.M. April 27, 2022.
earliest=04/19/2022:00:00:00 latest=04/27/2022:00:00:00
If you specify only the earliest
time modifier, latest
is set to the current time now
by default. If you specify a latest
time modifier, you must also specify an earliest
time.
Specify relative time ranges
You define the relative time in your search by using a string of characters that indicate the amount of time. The syntax is an integer and a time unit.
1. Begin your string with a minus ( - ) or a plus ( + ) to indicate the offset before or after the time amount.
2. Specify the amount of time by using a number and a time unit. When you specify single time amounts, the number is implied. For example s
is the same as 1s
, m
is the same as 1m
, and so on. The supported time units are listed in the following table.
Time range | Valid values |
---|---|
seconds | s, sec, secs, second, seconds |
minutes | m, min, minute, minutes |
hours | h, hr, hrs, hour, hours |
days | d, day, days |
weeks | w, week, weeks |
months | mon, month, months |
quarters | q, qtr, qtrs, quarter, quarters |
years | y, yr, yrs, year, years |
When specifying relative time, use now
to refer to the current time.
Relative time modifiers that snap to a time
With relative time, you can specify a snap to time, which is an offset from the relative time. The snap to time unit rounds down to the nearest or latest time for the time amount that you specify. To do this, separate the time amount from the snap to time unit with an "@" character.
The syntax for the snap to time unit is [+|-]<time_integer><time_unit>@<time_unit>
.
When snapping to the nearest or latest time, Splunk software always snaps backwards or rounds down to the latest time that is not after the specified time. For example, the current time is 15:45:00 and the snap to time is earliest=-h@h
. The time modifier snaps to 14:00.
You can also define the relative time modifier using only the snap to time unit. For example, to snap to a specific day of the week, use @w0 for Sunday, @w1 for Monday, and so forth. For Sunday, you can specify either w0 or w7.
If you do not specify a snap to time unit, the search uses seconds as the snap to time unit.
The snap to option becomes very useful in a range of situations. For example, if you want to search for events in the previous month, specify earliest=-mon@mon latest=@mon
. This example begins at the start of the previous month and ends at the start of the current month.
Difference between relative time and relative snap to time
On April 28th, you decide to run a search at 14:05.
- If you specify
earliest=-2d
, the search goes back exactly two days, starting at 14:05 on April 26th.
- If you specify
earliest=-2d@d
, the search goes back to two days and snaps to the beginning of the day. The search looks for events starting from 00:00 on April 26th.
Special time units
The following abbreviations are reserved for special cases of time units and snap time offsets.
Time Unit | Description |
---|---|
earliest=1
|
If you want to search events from the start of UNIX epoch time, use earliest=1 . UNIX epoch time 1 is UTC January 1, 1970 at 12:00:01 AM.
When
|
earliest=now
|
Specify that the search starts or ends at the current time. Any search that includes |
@q, @qtr, or @quarter
|
Specify a snap to the beginning of the most recent quarter: Jan 1, Apr 1, July 1, or Oct 1. |
w0, w1, w2, w3, w4, w5, w6, and w7
|
Specify "snap to" days of the week; where w0 is Sunday, w1 is Monday, etc. When you snap to a week, @w or @week , it is equivalent to snapping to Sunday or @w0 . You can use either w0 or w7 for Sunday.
|
Specify earliest relative time offset and latest time in ad hoc searches
Ad hoc searches that use the earliest
time modifier with a relative time offset should also include latest=now
in order to avoid time range inaccuracies. For example, if you want to get all events from the last 10 seconds starting at 01:00:10, the following search returns all events that occur between the time of 01:00:00 and 01:00:10, as expected.
index=main earliest=-10s latest=now
Running the same search without including latest=now
might produce unpredictable results or impact performance in certain scenarios when the search head is overloaded with ad hoc searches.
Examples of relative time modifiers
For the following examples, the current time is Wednesday, 05 June 2024, 01:37:05 P.M.
24h is usually but not always equivalent to 1d because of Daylight Savings Time boundaries.
Time modifier | Description | Resulting time | Equivalent modifiers |
---|---|---|---|
now | Now, the current time | Wednesday, 05 June 2024, 01:37:05 P.M. | now() |
-60m | 60 minutes ago | Wednesday, 05 June 2024, 12:37:05 P.M. | -60m@s |
-1h@h | 1 hour ago, to the hour | Wednesday, 05 June 2024, 12:00:00 P.M. | |
-1d@d | Yesterday | Tuesday, 04 June 2024, 12:00:00 A.M. | |
-24h | 24 hours ago (yesterday) | Tuesday, 04 June 2024, 01:37:05 P.M. | -24h@s |
-7d@d | 7 days ago, 1 week ago today | Wednesday, 29 May 2024, 12:00:00 A.M. | |
-7d@m | 7 days ago, snap to minute boundary | Wednesday, 29 May 2024, 01:37:00 P.M. | |
@w0 | Beginning of the current week | Sunday, 02 June 2024, 12:00:00 A.M. | |
+1d@d | Tomorrow | Thursday, 06 June 2024, 12:00:00 A.M. | |
+24h | 24 hours from now, tomorrow | Thursday, 06 June 2024, 01:37:05 P.M. | +24h@s |
Examples of chained relative time offsets
You can also specify offsets from the snap-to-time or "chain" together the time modifiers for more specific relative time definitions.
Time modifier | Description | Resulting time |
---|---|---|
@d-2h | Snap to the beginning of today (12 A.M.) and subtract 2 hours from that time. | 10 P.M. last night. |
-mon@mon+7d | One month ago, snapped to the first of the month at midnight, and add 7 days. | The 8th of last month at 12 A.M. |
Examples of searches with relative time modifiers
Search from the beginning of the week to the time of your search
This example searches for Web access errors from the beginning of the week to the time that you run your search.
eventtype=webaccess error earliest=@w0 latest=now
This search returns matching events starting from 12:00 A.M. of the Sunday of the current week to the current time. Of course, this means that if you run this search on Monday at noon, you will only see events for 36 hours of data.
Search the current business week
This example searches for Web access errors from the current business week, where w1
is Monday and w6
is Friday.
eventtype=webaccess error earliest=@w1 latest=+7d@w6
This search returns matching events starting from 12:00 A.M. of the Monday of the current week and ending at 11:59 P.M. of the Friday of the current week.
- If you run this search on Monday at noon, you will only see events for 12 hours of data.
- If you run this search on Friday, you will see events from the beginning of the week to the current time on Friday. The timeline however, will display for the full business week.
Search the last full business week
This example searches Web access errors from the last full business week.
eventtype=webaccess error earliest=-7d@w1 latest=@w6
This search returns matching events starting from 12:00 A.M. of last Monday and ending at 11:59 P.M. of last Friday.
Search the last 24 hours but omit 1 hour
This example searches an index for the last 24 hours but omits any events returned from Midnight to 1:00 A.M., when downtime returns false log entries.
index=myindex ((earliest=-24h latest<@d) OR (earliest>=@d+1h))
This search specifies two time ranges:
- 24 hours before the search is run, up to midnight
- The beginning of the day that the search is run, starting at 1 hour after midnight or 1:00 A.M.
Search for specific windows of time
The following table describes several ways to search for specific windows of time:
Description | Search | Search runtime | Search start window | Search end window |
---|---|---|---|---|
Search for events from seven days ago until today. |
|
Wednesday May 11th at 3:37 PM | Wednesday May 4th at 3:37 PM | Wednesday, May 11th at 3:37 PM |
Search for events from seven days ago for a five hour window. |
|
Wednesday May 11th at 3:37 PM | Wednesday May 4th at 3:37 PM | Wednesday May 4th at 8:37 PM |
Search for events from seven days ago, from the beginning of that day for a two hour window. |
|
Wednesday May 11th at 3:37 PM | Wednesday May 4th at 00:00 AM | Wednesday May 4th at 2:00 AM |
Search for events from seven days ago. Start three hours before the beginning of that day. End at the beginning of the day, seven days ago. |
|
Wednesday May 11th at 3:37 PM | Tuesday May 3rd at 9:00 PM | Wednesday May 4th at 00:00 AM |
See also
- Related information
- Time modifiers in the Search Reference
Select time ranges to apply to your search | Specify time ranges for real-time searches |
This documentation applies to the following versions of Splunk® Enterprise: 8.1.0, 8.1.1, 8.1.2, 8.1.3, 8.1.4, 8.1.5, 8.1.6, 8.1.7, 8.1.8, 8.1.9, 8.1.10, 8.1.11, 8.1.12, 8.1.13, 8.1.14, 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.2.0, 9.2.2, 9.2.1, 9.3.0
Feedback submitted, thanks!