When you create a search, try to specify only the dates or times that you're interested in. Specifying a narrow time range is a great way to filter the data in your dataset and to avoid producing more results than you really need.
To specify a time range in your search syntax, you use the earliest and latest time modifiers. You can specify an exact time such as earliest="10/5/2019:20:00:00", or a relative time such as earliest=-h or latest=@w6.
| Modifier | Syntax | Description |
|---|---|---|
| earliest | earliest=[+|-]
| Specify the earliest _time for the time range of your search.
|
| latest | latest=[+|-]
| Specify the latest time for the _time range of your search.
|
Here are some examples:
- To search for data from now and go back in time 5 minutes, use
earliest=-5m. - To search for data from now and go back 40 seconds, use
earliest=-40s. - To search for data between 2 and 4 hours ago, use
earliest=-4h latest=-2h. - To search for data using an exact date range, such as from October 15 at 8 PM to October 22 at 8 PM, use the timeformat
%m/%d/%Y:%H:%M:%Sand specify dates likeearliest="10/15/2019:20:00:00" latest="10/22/2019:20:00:00" - To search for data from the beginning of today (12 AM or midnight) use
earliest=@d. The @ symbol is referred to as the snap to anddis the time unit. - To search for data from the beginning of today (12 AM or midnight) and apply a time offset of -2h, use
earliest=@d-2h. This results in an earliest time of 10 PM yesterday.
When snapping to a time, Splunk software always '''snaps backwards''' or rounds down to the latest time that is not after the specified time. For example, if it is 11:59:00 and you "snap to" using hours, you will snap to 11:00 not 12:00.
Here's an example of using a time range in a search that goes back 5 minutes, snapping to the beginning of the minute. The end of the time range is the beginning of the current minute.
| from main where earliest=-5m@m and latest=@m
For more information about time modifiers, see Time modifiers.
Next step
See Combining commands.
