Select time ranges to apply to your search
Use the time range picker to set time boundaries on your searches. You can restrict a search with preset time ranges, create custom time ranges, specify time ranges based on date or date and time, or work with advanced features in the time range picker. These options are described in the following sections.
If you are located in a different timezone, time-based searches use the timestamp of the event from the Splunk instance that indexed the data. See How time zones are processed by the Splunk platform.
Select from a list of Preset time ranges
The time range picker includes many built-in time ranges options that are defined by default in the times.conf
file. You can select from a list of Real-time windows, Relative time ranges, and search over All Time.
Real-Time Preset time ranges
The number of concurrent real-time searches can greatly affect indexing performance. See About real-time searches and reports.
Users must have the Admin role to run and save real-time searches. For more information on managing roles and assigning roles to users, see Create and manage roles with Splunk Web in Securing Splunk Enterprise.
The Real-Time Preset time ranges apply to real-time searches and are listed in the following table. To learn about relative time modifiers, see Specify time modifiers in your search.
Real-Time Preset time range | Description | Equivalent relative time modifiers |
---|---|---|
30 second window | Events in the last 30 second window. | earliest_time = rt-30s latest_time = rt |
1 minute window | Events in the last 1 minute window. | earliest_time = rt-1m latest_time = rt |
5 minute window | Events in the last 5 minute window. | earliest_time = rt-5m latest_time = rt |
30 minute window | Events in the last 30 minute window. | earliest_time = rt-30m latest_time = rt |
1 hour window | Events in the last 1 hour window. | earliest_time = rt-1h latest_time = rt |
All time (real-time) | Total events for all real-time searches. | earliest_time = rt latest_time = rt |
Relative Preset time ranges
The Relative Preset time ranges are listed in the following table. To learn more about relative time modifiers, see Specify time modifiers in your search.
Relative Preset time range | Description | Equivalent relative time modifiers |
---|---|---|
Today | Events from today. | earliest_time = @d latest_time = now |
Week to date | Events from this week to the current date. | earliest_time = @w0 latest_time = now |
Business week to date | Events from this business week to the current date. Starts from the previous Monday at midnight (00:00:00) to now. | earliest_time = @w1 latest_time = now |
Month to date | Events from this month to the current date. | earliest_time = @mon latest_time = now |
Year to date | Events from this year to the current date. | earliest_time = @y latest_time = now |
Yesterday | Events from yesterday to today. | earliest_time = -1d@d latest_time = @d |
Previous week | Events from the previous week. | earliest_time = -7d@w0 latest_time = @w0 |
Previous business week | Events from the previous business week. If you run a search with this time range on a Sunday, the earliest time value will be the previous Monday. However, if you run this time range on a Saturday, the earliest time will be Monday 2 weeks ago. | earliest_time = -6d@w1 latest_time = -1d@w6 |
Previous month | Events from the previous month. | earliest_time = -1mon@mon latest_time = @mon |
Previous year | Events from the complete calendar year of the previous year. For example, if you run a search on any day in 2024, search results include events from Jan 1, 2023 at 00:00:00 to Jan 1, 2024 at 00:00:00. | earliest_time = -1y@y latest_time = @y |
Last 15 minutes | Events from the last 15 minutes. | earliest_time = -15m latest_time = now |
Last 60 minutes | Events from the last 60 minutes. | earliest_time = -60m@m latest_time = now |
Last 4 hours | Events from the last 4 hours. | earliest_time = -4h@m latest_time = now |
Last 24 hours | Events from the last 24 hours. | earliest_time = -24h@h latest_time = now |
Last 7 days | Events from the last 7 days. | earliest_time = -7d@h latest_time = now |
Last 30 days | Events from the last 30 days. | earliest_time = -30d@d latest_time = now |
Define custom Relative time ranges
Use Relative time range options to specify a custom time range for your search that is relative to Now or the Beginning of the current hour. You can select from the list of time range units: Seconds Ago, Minutes Ago, and so on.
By default, Earliest is set to No Snap-to and Latest is set to Now. If you specify the snap-to option for Earliest or Latest, the time range will snap to beginning of the time frame that you select. For example, if you select Days Ago, the Earliest snap to value is Beginning of today.
The preview boxes below the fields update to the time range as you make the selections.
To learn more about relative time ranges, see Specify time modifiers in your search.
Define custom Real-time time ranges
Users must have the Admin role to run and save real-time searches. For more information on managing roles and assigning roles to users, see Create and manage roles with Splunk Web in Securing Splunk Enterprise.
In Splunk Cloud Platform on Victoria Experience, real-time searches are enabled by default. In Splunk Cloud Platform on Classic Experience, you must open a support ticket to enable real-time search. For more information, see About real-time searches and reports in the Search Manual.
Users can use the real-time option to specify a custom Earliest time for a real-time search. Because this time range is for a real-time search, a Latest time is not relevant.
To learn more about time ranges for real-time searches, see Specify real-time time range windows in your search.
Define custom Date ranges
Use the Date Range option to specify custom calendar dates in your search. You can choose among options to return events: Between a beginning and end date, Before a date, and Since a date.
For these fields, you can type the date into the text box or select the date from a calendar.
Define custom Date & Time ranges
Use the Date & Time Range option to specify custom calendar dates and times for the beginning and ending of your search.
You can type the date into the text box or select the date from a calendar.
Use Advanced time range options
Use the Advanced option to specify the earliest and latest search times. You can write the times in UNIX time or relative time notation, such as -3d@d
. The UNIX time value you type is converted to local time.
The UNIX time or relative time that you specify is displayed as a timestamp under the text field so that you can verify your entry.
Customize the list of Preset time ranges
You can customize the set of time ranges that appear in the Presets list the time range picker in Splunk Web. You can create a time range based on an existing time range, or you can hide time ranges.
Create a time range based on an existing time range
The easiest way to create a new time range is to use an existing time range as the basis for a new time range. For example, the Relative time range list contains the Last 15 minutes time range. You want to create a time range for the last 30 minutes. You start by creating a duplicate, or clone, of the Last 15 minutes time range. In the clone, you change the Earliest setting from -15min to -30min.
- From the Settings menu, under the Knowledge list select User interface.
- In the User Interface window, select Time ranges.
- Locate the time range that you want to use.
- In the Actions column click Clone.
- A copy of the specifications for the time range appear. Make the changes to the time range specifications and click Save.
The new time range appears in the Relative list in the Presets menu.
Create a new Preset time range
You can create a new time range for the Presets menu. For example, you want to create a time range that shows searches yesterday from the hours of 12:00 to 15:00. You need to specify relative times in the Earliest and Latest fields. In the Earliest field you specify -1d@d+12h
. In the Latest field you specify -1d@d+15h
.
- From the Settings menu, under the Knowledge list select User interface.
- In the User Interface window, select Time ranges.
- Click New.
- Complete the fields in the Add New window and click Save.
The new time range appears in the Relative list in the Presets menu.
Hide a time range on the Presets list
- From the Settings menu, under the Knowledge list select User interface.
- In the User Interface window, select Time ranges.
- Locate the time range you want to hide. In the Status column click Disable.
Setting default time ranges for the API or CLI
You can set time ranges manually in the times.conf
file when you want to specify a time range for a REST API endpoint or for the command line interface (CLI).
- Splunk Cloud Platform
- To set the default time ranges for the API, request help from Splunk Support. If you have a support contract, file a new case using the Splunk Support Portal at Support and Services. Otherwise, contact Splunk Customer Support. Splunk Cloud Platform users don't have shell access to the Splunk Cloud Platform deployment and can't use the CLI to set default time ranges.
- Splunk Enterprise
- Prerequisites
- Only users with file system access, such as system administrators, can change time ranges manually in the
times.conf
file. - Review the steps in How to edit a configuration file in the Admin Manual.
- Only users with file system access, such as system administrators, can change time ranges manually in the
Never change or copy the configuration files in the default directory. The files in the default directory must remain intact and in their original location. Make the changes in the local directory.
- Steps
- Open the local
times.conf
file for the Search app. For example,$SPLUNK_HOME/etc/apps/<app_name>/local
.- Open the local
- Create a stanza for the time range that you want to specify. For examples, see the times.conf reference in the Admin Manual.
Change the default time range
The default time range for ad hoc searches in the Search & Reporting App is set to Last 24 hours.
In Splunk Enterprise, an administrator can set the default time range globally, across all apps. See Change default values in the Splunk Enterprise Admin Manual.
In Splunk Cloud Platform, contact Splunk customer support to request a change to the default time range.
See also
About searching with time | Specify time modifiers in your search |
This documentation applies to the following versions of Splunk Cloud Platform™: 9.3.2408, 8.2.2112, 8.2.2201, 8.2.2202, 9.0.2205, 9.0.2208, 8.2.2203, 9.0.2209, 9.0.2303, 9.0.2305, 9.1.2308, 9.1.2312, 9.2.2403, 9.2.2406 (latest FedRAMP release)
Feedback submitted, thanks!