Time modifiers - Splunk Documentation (2024)

Use time modifiers to customize the time range of an SPL2 search or change the format of the timestamps in the search results.

Searching the _time field

When an event is processed by Splunk software, its timestamp is saved as the default field _time. This timestamp, which is the time when the event occurred, is saved in UNIX time notation. Searching with relative time modifiers, earliest or latest, finds every event with a timestamp beginning, ending, or between the specified timestamps.

For example, when you search for earliest=@d, the search finds every event with a _time value since midnight. This example uses @d, which is a date format variable. See Time variables.

List of time modifiers

Use the earliest and latest modifiers to specify custom and relative time ranges. You can specify an exact time such as earliest="10/5/2021:20:00:00", or a relative time such as earliest=-h or latest=@w6.

When specifying relative time, you can use the now modifier to refer to the current time.

You can specify either the equal ( = ) or not equal (!= ) operator with the time modifiers. No other operators are supported.

ModifierSyntaxDescription
earliestearliest=[+|-]

<time_integer><time_unit>@<time_unit>

Specifies the earliest time in the _time field for the time range of your search.


Use earliest=1 to specify the UNIX epoch time 1, which is UTC January 1, 1970 at 12:00:01 AM.

_index_earliest_index_earliest=[+|-]

<time_integer><time_unit>@<time_unit>

Specifies the earliest time in the _indextime field for the time range of your search.
_index_latest_index_latest=[+|-]

<time_integer><time_unit>@<time_unit>

Specifies the latest time in the _indextime field for the time range of your search.
latestlatest=[+|-]

<time_integer><time_unit>@<time_unit>

Specifies the latest time in the _time field for the time range of your search.


If you don't specify latest, now() is used as the default value.

nownow() or nowRefers to the current time. If used with earliest, now() is the start of the search.
timetime()In real-time searches, time() is the current machine time.

Examples of time modifiers

The following table lists some examples for the earliest and latest time modifiers.

ModifierSyntaxDescription
earliestearliest=[+|-]

<time_integer><time_unit>@<time_unit>

Specify the earliest _time for the time range of your search.


Examples:

  • Go back in time 5 minutes: ... earliest=-5m
  • Go back 40 seconds: ... earliest=-40s
latestlatest=[+|-]

<time_integer><time_unit>@<time_unit>

Specify the latest time for the _time range of your search.


If you omit latest, the current time (now) is used.
Example:

  • Between 2 and 4 hours ago: ...earliest=-4h latest=-2h

Searching based on index time

You also have the option of searching for events based on when they were indexed. The UNIX time is saved in the _indextime field. Similar to earliest and latest for the _time field, you can use the relative time modifiers _index_earliest and _index_latest to search for events based on _indextime. For example, if you wanted to search for events indexed in the previous hour, use: _index_earliest=-h@h _index_latest=@h.

When using index-time based modifiers such as _index_earliest and _index_latest, your search must also have an event-time window which will retrieve the events. In other words, chunks of events might be ruled out based on the non index-time window as well as the index-time window. To be certain of retrieving every event based on index-time, you must run your search using All Time.

Examples

1. Run a search over all time

If you want to search events from the start of UNIX time, use earliest=1.

When earliest=1 and latest=now() are used, the search runs over all time.

...WHERE earliest=1 AND latest=now()

Specifying latest=now() does not return future events.

To return future events, specify latest=<a_big_number>. Future events are events that contain timestamps later than the current time now().

2. Search the events from the beginning of the current week

...WHERE earliest=@w0

3. Search the events from the last full business week

...WHERE earliest=-5d@w1 AND latest=@w6

4. Search with an exact date as a boundary

With a boundary such as from November 15 at 8 PM to November 22 at 8 PM, use the timeformat %Y-%m-%d:%H:%M:%S.

...WHERE earliest="2023-11-15:20:00:00" AND latest="2023-11-22:20:00:00"

5. Specify multiple time windows using a fixed date time format

You can specify multiple time windows using the timeformat %Y-%m-%d:%H:%M:%S. For example to find events from 5-6 PM or 7-8 PM on specific dates, use the following syntax.

...WHERE (earliest="2023-1-22:17:00:00" AND latest="2023-1-22:18:00:00") OR (earliest="2023-1-22:19:00:00" AND latest="2023-1-22:20:00:00")

6. Specify multiple time windows using a relative time format

You can specify multiple time windows using the time modifiers and snap-to with a relative time. For example to find events for the last 24 hours but omit the events from Midnight to 1:00 A.M., use the following syntax:

...WHERE ((earliest=-24h AND latest<@d) OR (earliest>=@d+1h))

Other time modifiers

The following search time modifiers are still valid, but might be removed and their function no longer supported in a future release.

ModifierSyntaxDescription
daysagodaysago=<int>Search events within the last integer number of days.
enddaysagoenddaysago=<int>Set an end time for an integer number of days before Now.
endhoursagoendhoursago=<int>Set an end time for an integer number of hours before Now.
endminutesagoendminutesago=<int>Set an end time for an integer number of minutes before Now.
endmonthsagoendmonthsago=<int>Set an end time for an integer number of months before Now.
endtimeendtime=<string>Search for events before the specified time (exclusive of the specified time). Use timeformat to specify how the timestamp is formatted.
endtimeuendtimeu=<int>Search for events before the specific UNIX time.
hoursagohoursago=<int>Search events within the last integer number of hours.
minutesagominutesago=<int>Search events within the last integer number of minutes.
monthsagomonthsago=<int>Search events within the last integer number of months.
searchtimespandayssearchtimespandays=<int>Search within a specified range of days, expressed as an integer.
searchtimespanhourssearchtimespanhours=<int>Search within a specified range of hours, expressed as an integer.
searchtimespanminutessearchtimespanminutes=<int>Search within a specified range of minutes, expressed as an integer.
searchtimespanmonthssearchtimespanmonths=<int>Search within a specified range of months, expressed as an integer.
startdaysagostartdaysago=<int>Search the specified number of days before the present time.
starthoursagostarthoursago=<int>Search the specified number of hours before the present time.
startminutesagostartminutesago=<int>Search the specified number of minutes before the present time.
startmonthsagostartmonthsago=<int>Search the specified number of months before the present time.
starttimestarttime=<timestamp>Search from the specified date and time to the present, inclusive of the specified time.
starttimeustarttimeu=<int>Search for events starting from the specific UNIX time.
timeformattimeformat=<string>Set the timeformat for the starttime and endtime modifiers. By default: timeformat=%m/%d/%Y:%H:%M:%S

See also

Related information
Specifying relative time
Timestamps and time ranges
Using time variables
Time zones
Time modifiers - Splunk Documentation (2024)

References

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Zonia Mosciski DO

Last Updated:

Views: 6013

Rating: 4 / 5 (71 voted)

Reviews: 86% of readers found this page helpful

Author information

Name: Zonia Mosciski DO

Birthday: 1996-05-16

Address: Suite 228 919 Deana Ford, Lake Meridithberg, NE 60017-4257

Phone: +2613987384138

Job: Chief Retail Officer

Hobby: Tai chi, Dowsing, Poi, Letterboxing, Watching movies, Video gaming, Singing

Introduction: My name is Zonia Mosciski DO, I am a enchanting, joyous, lovely, successful, hilarious, tender, outstanding person who loves writing and wants to share my knowledge and understanding with you.