• About Splunk
  • About Splunk
• Tutorial
  • Introduction to Splunk
    • Requirements
    • Log in
    • Index data
    • Simple searches
    • Click on results
    • Scroll through results
    • Narrow results
    • Follow a relationship
    • Chang the time range
    • Boolean searches
    • Save a search
  • Navigating search results
    • Filter on host, source, and sourcetype (search fields)
    • Showing more fields
    • Filter on extracted fields
    • Related events searching
    • Taking snapshots
    • SplunkWeb (interface) customization
  • Event types and punct::
    • What are event types?
    • What is punct::?
    • Find similar events with punct::
    • Saving event types
    • View and search for event types
    • Automated event type discovery
    • Tagging
  • Alerting
    • Save a search
    • Schedule it
    • Set alerting conditions
    • Set the alerting method
    • Permalink your saved search
    • Manage your saved searches and alerts
  • Reporting
    • Report on a field
    • Build a new report
    • Pick a different chart
    • Add it to your dashboard
  • Using search commands
    • timechart
    • stats
    • top
    • rare
    • where
    • fields
    • sort
    • Subsearches
    • diff
    • set
    • regex
  • Command line interface (CLI)
    • Examples
    • Built-in help
    • Basic commands
  • Sharing
    • Creating, tagging, and sharing eventtypes
    • Saved searches
    • SplunkBase
• Reference
  • Search syntax overview
    • Syntax definition
    • Syntax for subsearches
    • Tuning search performance
  • Search
    • Keywords
    • Wildcards *
    • Searching for "*"
    • "Quotation marks"
    • Punctuation marks
    • Booleans
    • Fields
    • Modifiers
    • Subsearches
  • Search modifiers
    • Conventions used in this reference
    • daysago
    • enddaysago
    • endhoursago
    • endminutesago
    • endmonthsago
    • endtime
    • hosttag
    • hoursago
    • index
    • maxresults
    • minutesago
    • monthsago
    • readlevel
    • readlimit
    • related
    • savedsearch
    • searchtimespanminutes
    • searchtimespanhours
    • searchtimespandays
    • searchtimespanmonths
    • startminutesago
    • starthoursago
    • startdaysago
    • startmonthsago
    • timeformat
  • Core search fields
    • host
    • source
    • sourcetype
  • Search fields
    • _raw
    • _serial
    • _time
    • date_hour
    • date_minute
    • date_month
    • date_mday
    • date_second
    • date_wday
    • date_year
    • date_zone
    • eventtype
    • eventtypetag
    • endtime
    • endtimeu
    • linecount
    • punct
    • starttime
    • starttimeu
    • timestamp::none
    • user
  • Search commands
    • Conventions used in the search reference
    • The run command
    • The admin command

Search modifiers

Search modifiers are used in the search command, and allow you to modify the results of a search based on time constraints, and other factors. Modifiers are explicitly used within the context of the search command.

There are two types of search modifiers. Search modifiers allow you to specify criteria to narrow your search, and time modifiers that adjust start/stop times and time ranges of your search.

Search modifier syntax

In versions 3.0.x modifiers take the format of:

• modifiername::value

In versions 3.1.x and above, modifiers take the formats:

• modifiername::value
• modifiername="value"
• modifiername=value

Most modifiers do not have default values. Modifiers may appear anywhere in a Splunk command before, after, or in between keywords and logical expressions. If a search has conflicting modifiers, the first one from left to right will take precedence.

Search modifier precedence

• Only the first declaration of daysago, hoursago, or minutesago will be evaluated.
• If there is more than one index modifier in a search command argument, only the first declaration will be evaluated.
• If there is more than one of the same modifier declared in a search, only the first one will be evaluated.

Conventions used in this reference

Syntax conventions

command argument ... [argument] ...

• Commands are in bold.
• Any bolded (and not italicized) character in the command syntax is a required term for the expression.
• Required arguments are italicized (and can be bold).
• Optional arguments are in [brackets].
• " ... " means that many arguments can be inserted.
• Arguments are defined in a table.

• Default values are shown in parentheses ( ).
• Arguments that have a table of options associated with them are italicized and in bold (argument).
• " | " is used as a logical OR.
• T | F = True OR False.

Other conventions

• Command examples that are applicable to SplunkWeb are shown in a mock-up of a search bar.

foo | top

• Command examples that are applicable to the Splunk command line (CLI) are shown in indented fixed-width font.

./splunk search "foo | top"

daysago

Search events within the last N days.

Syntax

daysago=integer

enddaysago

Set an end time (in days) that is = now - number specified.

Syntax

enddaysago=integer

endhoursago

Set an end time (in hours) that is = now - number specified.

Syntax

endhoursago=integer

endminutesago

Set an end time (in minutes) that is = now - number specified.

Syntax

endminutesago=integer

endmonthsago

Set an end time (in months) that is = now - number specified.

Syntax

endmonthsago=integer

endtime

All events must be before the specified time. Use timeformat to set the time format to use. For example: if timeformat=%m/%d/%Y:%H:%M:%S, then endtime=09/07/1978:09:00:00, and all results are before that time.

Syntax

endtime=string

hosttag

Search for events that have hosts that have a matching host tag string.

Syntax

hosttag=string

hoursago

Search events within the last N hours.

Syntax

hoursago=integer

index

Specifies an index to search (main, default, history, splunklogger, or another admin defined index). If there is more than one index modifier in a search command argument, only the first declaration will be evaluated.

Syntax

index="name of index" | name of index

maxresults

Limit the number of results that your search returns by specifying a maximum number of results. The default number of events for any search to return is 10,000.

Syntax

maxresults=integer(10000)

minutesago

Search events within the last N minutes.

Syntax

minutesago=integer

monthsago

Search events within the last N months.

Syntax

monthsago=integer

readlevel

Specifies how much detail is read from events returned from the search processor. This modifier is only useful in command line searches.

Syntax

readlevel=level

Arguments

readlimit

Specify the starting point of events within your results to read and return. By default this is set to 0 (to read all events).

Syntax

readlimit=integer | "integer range"

• Example: readlimit="20-29" - Reads events 20-29.

related

Specifies events that are related to the event of id event_id. The value assigned to a related search is a hash value that only makes sense to the server. Related results are sorted by relevance rather than by time.

Syntax

related=hash value

• Example: related="0:12345"

savedsearch

Search for events that would be found by the specified saved search.

Syntax

savedsearch=name_of_saved_search

searchtimespanminutes

Search within a specified range of minutes (expressed as an integer).

Syntax

searchtimespanminutes=integer

searchtimespanhours

Search within a specified range of hours (expressed as an integer).

Syntax

searchtimespanhours=integer

searchtimespandays

Search within a specified range of days (expressed as an integer).

Syntax

searchtimespandays=integer

searchtimespanmonths

Search within a specified range of months (expressed as an integer).

Syntax

searchtimespanmonths=integer

startminutesago

Search the specified number of minutes ago from the present time (expressed as an integer).

Syntax

minutesago=integer

starthoursago

Search the specified number of hours ago from the present time (expressed as an integer).

Syntax

hoursago=integer

startdaysago

Search the specified number of days ago from the present time (expressed as an integer).

Syntax

daysago=integer

startmonthsago

Search the specified number of months ago from the present time (expressed as an integer).

Syntax

monthsago=integer

timeformat

Change the format for the starttime and endtime modifiers. All Splunk searches have the default time format of: %m/%d/%Y:%H:%M:%S.

Syntax

timeformat=string

Arguments