Modifiers

Modifiers

Use modifiers to narrow your search results.

• Use time modifiers to change the time range or adjust the start/stop times of a search.
• Use search modifiers to match results based on tag information (event type, host, or general tags) or on whether results match criteria of a specified saved search.

You can use modifiers anywhere within a Splunk command: before, after, or in between keywords and logical expressions.

Some modifiers let you use wildcards, regular expressions, and comparison operations to specify values to match.

Most modifiers don't have default values.

Time modifiers =	daysago, enddaysago, endhoursago, endminutesago, endmonthsago, endtime, endtimeeu, hoursago, minutesago, monthsago, searchtimespandays, searchtimespanhours, searchtimespanminutes, searchtimespanmonths, startdaysago, starthoursago, startminutesago, startmonthsago, starttime, starttimeeu, timeformat
Search modifiers =	eventtypetag, hosttag, savedsearch, tag

Modifier syntax

Express modifiers in two ways:

• modifier="value"
• modifier=value

Modifier precedence

Splunk Modifier expressions have a few precedence rules:

• You an use a modifier anywhere in the search command before, after, or in between keywords and logical expressions.
• Splunk evaluates modifier declarations from left to right.
• Splunk evaluates only the first instance of daysago, hoursago, or minutesago.
• If there are more than one of the same modifier declared in a search string, Splunk evaluates only the first declaration in the search string.
• If there is more than one index modifier in a search command argument, Splunk evaluates only the first declaration in the search string.