Search modifiers
This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.0 , 3.0.1 , 3.0.2 , 3.1 , 3.1.1 , 3.1.2 , 3.1.3 , 3.1.4
Contents
- Search modifier syntax
- Search modifier precedence
- Conventions used in this reference
- Syntax conventions
- Other conventions
- daysago
- enddaysago
- endhoursago
- endminutesago
- endmonthsago
- endtime
- hosttag
- hoursago
- index
- maxresults
- minutesago
- monthsago
- readlevel
- readlimit
- related
- savedsearch
- searchtimespanminutes
- searchtimespanhours
- searchtimespandays
- searchtimespanmonths
- startminutesago
- starthoursago
- startdaysago
- startmonthsago
- timeformat
Search modifiers
Search modifiers are used in the search command, and allow you to modify the results of a search based on time constraints, and other factors. Modifiers are explicitly used within the context of the search command.
There are two types of search modifiers. Search modifiers allow you to specify criteria to narrow your search, and time modifiers that adjust start/stop times and time ranges of your search.
| Time modifiers = | daysago, enddaysago, endhoursago, endminutesago, endmonthsago, endtime, endtimeeu, hoursago, minutesago, monthsago, searchtimespandays, searchtimespanhours, searchtimespanminutes, searchtimespanmonths, startdaysago, starthoursago, startminutesago, startmonthsago, starttime, starttimeeu, timeformat | |
| Search modifiers = | eventtypetag, hosttag, index, maxresults, readlevel, readlimit, related |
Search modifier syntax
In versions 3.0.x modifiers take the format of:
- modifiername::value
In versions 3.1.x and above, modifiers take the formats:
- modifiername::value
- modifiername="value"
- modifiername=value
Most modifiers do not have default values. Modifiers may appear anywhere in a Splunk command before, after, or in between keywords and logical expressions. If a search has conflicting modifiers, the first one from left to right will take precedence.
Search modifier precedence
- Only the first declaration of daysago, hoursago, or minutesago will be evaluated.
- If there is more than one index modifier in a search command argument, only the first declaration will be evaluated.
- If there is more than one of the same modifier declared in a search, only the first one will be evaluated.
Conventions used in this reference
Syntax conventions
command argument ... [argument] ...
- Commands are in bold.
- Any bolded (and not italicized) character in the command syntax is a required term for the expression.
- Required arguments are italicized (and can be bold).
- Optional arguments are in [brackets].
- " ... " means that many arguments can be inserted.
- Arguments are defined in a table.
| argument=syntax and value(default value) | Description, and usage. |
- Default values are shown in parentheses ( ).
- Arguments that have a table of options associated with them are italicized and in bold (argument).
- " | " is used as a logical OR.
- T | F = True OR False.
Other conventions
- Command examples that are applicable to SplunkWeb are shown in a mock-up of a search bar.
foo | top 
- Command examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.
./splunk search "foo | top"
daysago
Search events within the last N days.
Syntax
daysago=integer
enddaysago
Set an end time (in days) that is = now - number specified.
Syntax
enddaysago=integer
endhoursago
Set an end time (in hours) that is = now - number specified.
Syntax
endhoursago=integer
endminutesago
Set an end time (in minutes) that is = now - number specified.
Syntax
endminutesago=integer
endmonthsago
Set an end time (in months) that is = now - number specified.
Syntax
endmonthsago=integer
endtime
All events must be before the specified time. Use timeformat to set the time format to use. For example: if timeformat=%m/%d/%Y:%H:%M:%S, then endtime=09/07/1978:09:00:00, and all results are before that time.
Syntax
endtime=string
hosttag
Search for events that have hosts that have a matching host tag string.
Syntax
hosttag=string
hoursago
Search events within the last N hours.
Syntax
hoursago=integer
index
Specifies an index to search (main, default, history, splunklogger, or another admin defined index). If there is more than one index modifier in a search command argument, only the first declaration will be evaluated.
Syntax
index= "name of index" | name of index
maxresults
Limit the number of results that your search returns by specifying a maximum number of results. The default number of events for any search to return is 10,000.
Syntax
maxresults=integer(10000)
minutesago
Search events within the last N minutes.
Syntax
minutesago=integer
monthsago
Search events within the last N months.
Syntax
monthsago=integer
readlevel
Specifies how much detail is read from events returned from the search processor. This modifier is only useful in command line searches.
Syntax
readlevel=level
Arguments
| level= 0 | 1 | 2 | Different read levels to specify. |
| 0 | Specifies that only the top indexed fields (host,source, sourcetype) get read. |
| 1 | Specifies to read raw data and 2nd order fields in addition to top indexed fields (read level 0). |
| 2 | Specifies a full read of event types in addition to all of the above data. |
readlimit
Specify the starting point of events within your results to read and return. By default this is set to 0 (to read all events).
Syntax
readlimit=integer | "integer range"
- Example:
readlimit="20-29"- Reads events 20-29.
related
Specifies events that are related to the event of id event_id. The value assigned to a related search is a hash value that only makes sense to the server. Related results are sorted by relevance rather than by time.
Syntax
related=hash value
- Example:
related="0:12345"
savedsearch
Search for events that would be found by the specified saved search.
Syntax
savedsearch=name_of_saved_search
searchtimespanminutes
Search within a specified range of minutes (expressed as an integer).
Syntax
searchtimespanminutes=integer
searchtimespanhours
Search within a specified range of hours (expressed as an integer).
Syntax
searchtimespanhours=integer
searchtimespandays
Search within a specified range of days (expressed as an integer).
Syntax
searchtimespandays=integer
searchtimespanmonths
Search within a specified range of months (expressed as an integer).
Syntax
searchtimespanmonths=integer
startminutesago
Search the specified number of minutes ago from the present time (expressed as an integer).
Syntax
minutesago=integer
starthoursago
Search the specified number of hours ago from the present time (expressed as an integer).
Syntax
hoursago=integer
startdaysago
Search the specified number of days ago from the present time (expressed as an integer).
Syntax
daysago=integer
startmonthsago
Search the specified number of months ago from the present time (expressed as an integer).
Syntax
monthsago=integer
timeformat
Change the format for the starttime and endtime modifiers. All Splunk searches have the default time format of: %m/%d/%Y:%H:%M:%S.
Syntax
timeformat=string
Arguments
| string = | %m/%d/%Y:%H:%M:%S (default = %m/%d/%Y:%H:%M:%S). |