Software Development

Splunk Time Range Search Example

Photo of Mary Zheng Mary ZhengFebruary 8th, 2021Last Updated: February 1st, 2021
0 351 2 minutes read

1. Introduction

Most data source event contains a timestamp. If the event doesn’t include a timestamp, then Splunk applies a timestamp to the event during the indexing process. It’s very helpful to search event based on a time range. In this example, I will demonstrate several ways to search based on a time range:

2. Technologies Used

The example in this article was built and run using:

  • Docker 19.03.8
  • Splunk 8.1.1
  • Google Chrome 87.0.4280.88

Please reference my other article for the set up steps.

3. Splunk Time Range Picker

In this step, I will use the time range picker in the New Search section.

The Splunk New Search section includes a time range picker next to the search button. It has lots of predefined time ranges. The default value is “Last 24 hours“.

Splunk Time Range - time range picker
Figure 1 Time Range Picker – Default to Last 24 hours

It has a “Documentation” link under the Advanced section which includes detail information.

Select the “Last 15 minutes” option from the “Presets” section. The start time and end time are displayed next to the search results.

Splunk Time Range - last 15 min
Figure 2 Last 15 minutes

It also shows the searching query as: earliest=-15m&latest=now in the browser URI.

4. Add Time Range to a Report

In this step, I will explain how to add a time range picker to a report.

The “Yes” option is selected by default when using Save As Report option.

Splunk Time Range - in a report
Figure 3 Include time Range Picker in a Report

You should see the report with a time range picker after clicking the “Save” button.

Splunk Time Range - report
Figure 4, Report with Time Range Picker

5. Add Time Range to a Dashboard

In this step, I will add a time range picker to a dashboard by editing it. Click on the “+Add Input” and select “Time“.

Figure 5 Add Time Input

After it, you should see the time range picker with default value – Last 24 hours.

Figure 6 Time Input on Dashboard

Save the dashboard, then you will see the time range picker filter.

Figure 7 Dashboard with a Time Filter

6. Time Search Query

Splunk Processing Language (SPL) defines several time modifier. Here are common ones:

  • earliest – specifies the earliest time for the _time range. e.g. -15m means last 15 minutes
  • latest – specifies the latest time for the _time range. e.g. -24h means last 24 hours.
  • now – specifies the current time.

Here is the syntax for searching events by a time range.

earliest=<time_modifier> latest=<time_modifier>

Here is the SPL for last 7 days

earliest=-7d latest=now

Figure 8 Last 7 Days

7. Summary

In this example, I showed how to use the time range picker from web interface and how to use the SPL query to search events based on the time range.

Tags
Photo of Mary Zheng Mary ZhengFebruary 8th, 2021Last Updated: February 1st, 2021
0 351 2 minutes read
Photo of Mary Zheng

Mary Zheng

Mary has graduated from Mechanical Engineering department at ShangHai JiaoTong University. She also holds a Master degree in Computer Science from Webster University. During her studies she has been involved with a large number of projects ranging from programming and software engineering. She works as a senior Software Engineer in the telecommunications sector where she acts as a leader and works with others to design, implement, and monitor the software solution.
Subscribe
Notify of
guest

This site uses Akismet to reduce spam. Learn how your comment data is processed.

0 Comments
Inline Feedbacks
View all comments
Back to top button