An 's' is the same as '1s', 'm' is the same as '1m', 'h' is the same as '1h', and so forth. When specifying single time amounts, the number one is implied. Microseconds (us), milliseconds (ms), centiseconds (cs), or deciseconds (ds)įor example, to start your search an hour ago, use either of the following time modifiers. The supported time units are listed in the following table:
#Splunk stats earliest plus#
Then the snap-to time is processed.īegin your time offset with a plus (+) or minus (-) to indicate the offset from the current time.ĭefine your time amount with a number and a unit.
Relative time modifier is the offset -2his processed first. When a relative time modifier is processed, the offset is processed first, followed by the snap-to time. The time unit indicates the nearest or latest time to which your time amount rounds down.
#Splunk stats earliest windows#
In real-time searches, time() is the current machine time.įor more information about customizing your search window, see Specify real-time time range windows in your search in the Search Manual. If set to earliest, now() is the start of the search. Use earliest=0 to specify the earliest event in your the earliest _indextime for the time range of your the latest _indextime for the time range of your the latest time for the _time range of your search. Use earliest=1 to specify the UNIX epoch time 1, which is UTC Januat 12:00:01 AM. You can specify an exact time such as earliest=":20:00:00", or a relative time such as earliest=-h or specifying relative time, you can use the now modifier to refer to the current the earliest _time for the time range of your search. Use the earliest and latest modifiers to specify custom and relative time ranges. To be certain of retrieving every event based on index-time, you must run your search using All Time. In other words, chunks of events might be ruled out based on the non index-time window as well as the index-time window. For example, if you wanted to search for events indexed in the previous hour, use: using index-time based modifiers such as _index_earliest and _index_latest, your search must also have an event-time window which will retrieve the events. Similar to earliest and latest for the _time field, you can use the relative time modifiers _index_earliest and _index_latest to search for events based on _indextime. The UNIX time is saved in the _indextime field.
You also have the option of searching for events based on when they were indexed. The time range does not apply to the base search or any other subsearch.įor example, if the Time Range Picker is set to Last 7 days and a subsearch contains then the earliest time modifier applies only to the subsearch and Last 7 days applies to the base search. Likewise, a time range specified directly in a subsearch applies only to that subsearch. However, time ranges specified directly in the base search do not apply to subsearches. Time ranges selected from the Time Range Picker apply to the base search and to subsearches. Because the search does not specify the latest time modifier, the default value now is used for latest.įor more information, see Specify time modifiers in your search in the Search Manual. The search uses the time specified in the time modifier and ignores the time in the Time Range Picker. You add the time modifier earliest=-2d to your search syntax. When you use a time modifier in the SPL syntax, that time overrides the time specified in the Time Range Picker.įor example, suppose your search uses yesterday in the Time Range Picker. This example uses which is a date format variable. Searching with relative time modifiers, earliest or latest, finds every event with a timestamp beginning, ending, or between the specified timestamps.įor example, when you search for the search finds every event with a _time value since midnight. This timestamp, which is the time when the event occurred, is saved in UNIX time notation. When an event is processed by Splunk software, its timestamp is saved as the default field _time. Use time modifiers to customize the time range of a search or change the format of the timestamps in the search results.
0 kommentar(er)
