Time modifiers

Every time you execute a search, always be aware that you are running a query against a set of data that is bound by date and time. The time-range picker is on the right side of the search bar. Splunk comes with predetermined time modifiers, as seen in the following screenshot. You can also use the time-range picker to set up a custom date/time-range or other advanced ranges (https://docs.splunk.com/Splexicon:Timerangepicker):

Apart from the All time selection, there are two types of time modifiers that will be used the most: Real-time and Relative. In the preceding screenshot, the predetermined real-time modifiers are in the leftmost column, and the relative time modifiers are in the middle columns.

Real-time modifiers mean that Splunk will run an ongoing, real-time search based on the specified time window. For example, a real-time search that is in a 5 minute window will continuously display data within the last five minutes. If new data comes in, it will push out the oldest event from the displayed results.

Tip from the Fez: As we introduced in Chapter 1, Splunk – Getting Started, real-time searches are resource intensive. Use them sparingly.

Relative time modifiers are just that; they collect data based on relative time, and will find data within the specified time frame. The most common examples as shown earlier in the time-range picker are to date (Week To Date, Month To Date, and so on) and last X (Last 4 hours, Last 7 days, and so on).

What you do not see when you are using the time-range picker is that in the background, Splunk is defining the earliest time and the latest time in specific variables.

The Last 15 minutes time-range picker preset, for example, is equivalent to these SPL modifiers:

SPL> earliest=-15m latest=now 

The presets built into Splunk automatically insert the latest=now modifier when running its search. Run this search command in your Destinations app Search bar:

SPL> index=main earliest=-8m latest=now | timechart count span=1m 

Notice that even if you have not changed the time modifier selected in the drop-down menu (which will not change unless you use it), the data will show that your earliest event was 8 minutes ago and your last data is current from point of running the search. In other words, if you put the earliest and latest modifiers in your search, what you manually put in the search overrides the current selection in the time-range picker.

You can use a number of alternative ways to identify each of the time units; the most commonly supported time units listed by Splunk are:

• Second: s, sec, secs, second, and seconds
• Minute: m, min, minute, minute, and minutes
• Hour: h, hr, hrs, hour, and hours
• Day: d, day, and days
• Week: w, week, and weeks
• Month: mon, month, and months
• Quarter: q, qtr, qtrs, quarter, and quarters
• Year: y, yr, yrs, year, and years