Splunk® Enterprise

Search Tutorial

Specifying time ranges

Restricting, or filtering, your search criteria using a time range is the easiest and most effective way to optimize your searches.

You can use time ranges to troubleshoot an issue, if you know the approximate timeframe when the issue occurred. Narrow the time range of your search to that timeframe. For example, to investigate an incident that occurred sometime in the last hour, you can use the default time range Last 24 hours, but a better option is Last 60 minutes.

Let's explore the data from the Buttercup Games online store using the different time ranges.

  1. To start a new search, click Search in the Apps bar.
  2. To search for a keyword in your events, type buttercupgames in the Search bar and press Enter.

buttercupgames

The keyword is highlighted in the events that are returned.
This screen image shows the events returned from searching for "buttercupgames". The number of events returned appear in two places, directly below the Search bar and on the Events tab.

Notice that hundreds of events are returned.

You use the time range picker, which is to the right of the Search bar, to set time boundaries on your searches. The default time range is Last 24 hours. You can restrict the search to one of the preset time ranges, or use a custom time range.

Time ranges and the tutorial data

When you run a search using the tutorial data, if no events are returned, it is probably because you downloaded the tutorialdata.zip file more than one day ago. When you download the ZIP file, timestamps are generated at that moment in time and are added to the data.

The tutorial data for the Buttercup Games store contains events for a seven day period. The dates of the events are based on the date that you downloaded the tutorial data file. For example, if you download the file today, the dates for the events begin the previous week. If today is a Wednesday, the events have a timestamp starting the previous Wednesday. The last events are from yesterday. There are no events from today. Searching for events using Today or any time less than the last 24 hours will return no events.

For all of your searches that use the tutorial data files, you need to adjust the search time range based on when you downloaded the tutorial data files. If you downloaded the tutorial data file 3 days ago, there are no events from the last 3 days. Try a different Relative time range, such as Previous week or Last 7 days.

Preset time ranges

The time range picker has many preset time ranges that you can select from.

  1. Click the time range picker to see a list of the time range options. The Presets option contains Real-time, Relative, and Other time ranges.
    • Real-time searches display a live, streaming view of events. You can specify a window over which to retrieve events.
    • Historical searches display events from the past. You can restrict your search by specifying a relative time range or a specific date and time range.

    Because the data for the Buttercup Games online store is a snapshot of historical data, you will not use the '''Real-time''' preset time ranges in this tutorial.

    This screen capture shows the time range picker drop-down list. The Presets list is displayed.
  2. In the Presets option in the Relative list, click Yesterday.
  3. The number of events returned should be larger. You changed the time range from Last 24 hours to Yesterday.

Custom time ranges

Use a custom time range when one of the preset time ranges is not precise enough for your search.

Specify relative time ranges

You can use the Relative option to specify a custom time range.

  1. Open the time range picker.
  2. To run a search over the last two days, select the Relative time range option.
    This screen image shows the Relative option. For the "Earliest" time, the number 2 is typed in.  From the drop-down list, "Days Ago" is selected.  For the  "Latest" time, the radio button "Now" is selected.
  3. For Earliest, type 2 in the field, and select Days Ago from the drop-down list.
  4. For Latest, the default is Now. Select Beginning of today.
  5. Click Apply.
    The timestamps that appear below the radio buttons adjust based on your selections in the Relative list of time ranges.
    As mentioned before, if no events are returned, select a different time range, such 4 Days Ago or 1 Week Ago.

Specify date and time ranges

You can also use the Date Range and Date & Time Range options to specify a custom time range.

  • Use Between to specify that events must occur between an earliest and latest date.
  • Use Before to specify that events must occur before a date.
  • Use Since to specify that events must occur after a date.


You use the Date Range option to specify dates. The following screen image shows the calendar that you can use to select a date.

This screen image shows the calendar that appears when you click in one of the date fields.

You use the Date & Time Range option when you want to specify both a date and a time. The following screen image shows the "Between", "Before", or "Since" options.

This screen image shows options for how you specify the date range. You can specify that events are "Between" two dates, "Before" a specific date, or "Since" a specific date.

For example, to troubleshoot an issue that took place May 4, 2021 about 10:30 AM, you can specify the earliest time of 05/04/2021 10:25:00.000 and the latest time of 05/04/2021 11:00:00.000 to show the events immediately before and after the issue took place.

Next step

This completes Part 3 of the Search Tutorial.

You have explored the Search app views and learned how important it is to specify time ranges with your searches. Continue to Part 4: Searching the tutorial data.

See also

Change the default time range in the Search Manual

Last modified on 28 October, 2021
Exploring the Search views   Basic searches and search results

This documentation applies to the following versions of Splunk® Enterprise: 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4, 8.2.5, 8.2.6, 8.2.7, 8.2.8, 8.2.9, 8.2.10, 8.2.11, 8.2.12, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7, 9.0.8, 9.0.9, 9.0.10, 9.1.0, 9.1.1, 9.1.2, 9.1.3, 9.1.4, 9.1.5, 9.1.6, 9.1.7, 9.2.0, 9.2.1, 9.2.2, 9.2.3, 9.2.4, 9.3.0, 9.3.1, 9.3.2, 9.4.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters