This documentation does not apply to the most recent version of Splunk.
This documentation applies to the following versions of Splunk: 3.2 , 3.2.1 , 3.2.2 , 3.2.3 , 3.2.4 , 3.2.5 , 3.2.6 , 3.3 , 3.3.1 , 3.3.2 , 3.3.3 , 3.3.4 , 3.4 , 3.4.1 , 3.4.2 , 3.4.3 , 3.4.5 , 3.4.6 , 3.4.8 , 3.4.9 , 3.4.10 , 3.4.11 , 3.4.12 , 3.4.13
Use time modifiers to adjust the time range of a search, specify a time to start or stop a search, or change the timestamp format of search results.
Search events within the last N days.
daysago=integer
| integer | Integer number of days. |
Set an end time (in days) that is = now - number specified.
enddaysago=integer
| integer | Integer number of days. |
Set an end time (in hours) that is = now - number specified.
endhoursago=integer
| integer | Integer number of hours. |
Set an end time (in minutes) that is = now - number specified.
endminutesago=integer
| integer | Integer number of minutes. |
Set an end time (in months) that is = now - number specified.
endmonthsago=integer
| integer | Integer number of months. |
Search for events before the specified time (exclusive of the specified time).
Use timeformat to set the time format to use. For example: if timeformat=%m/%d/%Y:%H:%M:%S, then endtime=09/07/1978:09:00:00, and all results are before that time.
endtime=string
| string | Specified time in the time stamp format specified by timeformat.
|
Search events within the last N hours.
hoursago=integer
| integer | Integer number of hours. |
Search events within the last N minutes.
minutesago=integer
| integer | Integer number of minutes. |
Search events within the last N months.
monthsago=integer
| integer | Integer number of months. |
Search within a specified range of days (expressed as an integer).
searchtimespandays=integer
| integer | Integer number of days. |
Search within a specified range of hours (expressed as an integer).
searchtimespanhours=integer
| integer | Integer number of hours. |
Search within a specified range of minutes (expressed as an integer).
searchtimespanminutes=integer
| integer | Integer number of minutes. |
Search within a specified range of months (expressed as an integer).
searchtimespanmonths=integer
| integer | Integer number of months. |
Search the specified number of days ago from the present time (expressed as an integer).
startdaysago=integer
| integer | Integer number of days. |
Search the specified number of hours ago from the present time (expressed as an integer).
starthoursago=integer
| integer | Integer number of hours. |
Search the specified number of minutes ago from the present time (expressed as an integer).
startminutesago=integer
| integer | Integer number of minutes. |
Search the specified number of months ago from the present time (expressed as an integer).
startmonthsago=integer
| integer | Integer number of months. |
Search from the specified date and time to the present (inclusive of the specified time).
starttime=timestamp
| timestamp | Time (in timestamp format ie: %m/%d/%Y:%H:%M:%S) to set your search to start on. |
Search from the specified date and time to the present expressed in European date/time format.
starttimeeu=timestamp
| timestamp | Time (in european timestamp format ie: %d/%m/%Y:%H:%M:%S) to set your search to start on. |
Set time format for the starttime and endtime modifiers.
Note: Splunk searches have the default time format of: %m/%d/%Y:%H:%M:%S.
timeformat=string
| string = | %m/%d/%Y:%H:%M:%S (default = %m/%d/%Y:%H:%M:%S). |