Documentation: 3.2

About this manual
- What's in this guide?
About Splunk
- About Splunk
Tutorial
Use the Splunk Command Line Interface (CLI)
- About Splunk's CLI
- Search in the CLI
Use form search
- Form search
  - Run a form search
Use Live Tail
- Live tail
Use transaction search
- Transactions
Search reference
Field reference
- About fields
- List of default fields
  - _index
  - _raw
  - _time
  - date_hour
  - date_mday
  - date_minute
  - date_month
  - date_second
  - date_wday
  - date_year
  - date_zone
  - eventtype
  - host
  - linecount
  - punct
  - source
  - sourcetype
  - timestamp
Modifier reference
Search command reference
- Search commands
- Data-generating commands
  - file
  - savedsearch
  - search
- Saving commands
- Filter and re-order
  - dedup
  - head
  - localize
  - regex
  - reverse
  - set
  - sort
  - tail
  - where
- Transforming and reporting commands
  - associate
  - chart
  - cluster
  - contingency
  - correlate
  - diff
  - format
  - highlight
  - rare
  - stats
  - strcat
  - timechart
  - top
  - transaction
  - typelearner
  - xmlunescape
- Evaluate
  - abstract
  - addtotals
  - anomalousvalue
  - bucket
  - convert
  - eval
  - fields
  - fillnull
  - kmeans
  - outlier
  - rename
  - replace
- Extracting commands
  - extract
  - iplocation
  - multikv
  - rex
  - typer
  - xmlkv
- Administrative commands
  - admin
  - audit
  - run

This page last updated: 05/13/08 07:05am

Time modifiers

Use time modifiers to adjust the time range of a search, specify a time to start or stop a search, or change the timestamp format of search results.

daysago

Search events within the last N days.

Syntax

daysago=integer

Arguments

integer

Integer number of days.

enddaysago

Set an end time (in days) that is = now - number specified.

Syntax

enddaysago=integer

Arguments

integer

Integer number of days.

endhoursago

Set an end time (in hours) that is = now - number specified.

Syntax

endhoursago=integer

Arguments

integer

Integer number of hours.

endminutesago

Set an end time (in minutes) that is = now - number specified.

Syntax

endminutesago=integer

Arguments

integer

Integer number of minutes.

endmonthsago

Set an end time (in months) that is = now - number specified.

Syntax

endmonthsago=integer

Arguments

integer

Integer number of months.

endtime

Search for events before the specified time (exclusive of the specified time).

Use timeformat to set the time format to use. For example: if timeformat=%m/%d/%Y:%H:%M:%S, then endtime=09/07/1978:09:00:00, and all results are before that time.

Syntax

endtime=string

Arguments

string Specified time in the time stamp format specified by timeformat.

hoursago

Search events within the last N hours.

Syntax

hoursago=integer

Arguments

integer

Integer number of hours.

minutesago

Search events within the last N minutes.

Syntax

minutesago=integer

Arguments

integer

Integer number of minutes.

monthsago

Search events within the last N months.

Syntax

monthsago=integer

Arguments

integer

Integer number of months.

searchtimespandays

Search within a specified range of days (expressed as an integer).

Syntax

searchtimespandays=integer

Arguments

integer

Integer number of days.

searchtimespanhours

Search within a specified range of hours (expressed as an integer).

Syntax

searchtimespanhours=integer

Arguments

integer

Integer number of hours.

searchtimespanminutes

Search within a specified range of minutes (expressed as an integer).

Syntax

searchtimespanminutes=integer

Arguments

integer

Integer number of minutes.

searchtimespanmonths

Search within a specified range of months (expressed as an integer).

Syntax

searchtimespanmonths=integer

Arguments

integer

Integer number of months.

startdaysago

Search the specified number of days ago from the present time (expressed as an integer).

Syntax

startdaysago=integer

Arguments

integer

Integer number of days.

starthoursago

Search the specified number of hours ago from the present time (expressed as an integer).

Syntax

starthoursago=integer

Arguments

integer

Integer number of hours.

startminutesago

Search the specified number of minutes ago from the present time (expressed as an integer).

Syntax

startminutesago=integer

Arguments

integer

Integer number of minutes.

startmonthsago

Search the specified number of months ago from the present time (expressed as an integer).

Syntax

startmonthsago=integer

Arguments

integer

Integer number of months.

starttime

Search from the specified date and time to the present (inclusive of the specified time).

Syntax

starttime=timestamp

Arguments

timestamp

Time (in a timestamp format ie: %m/%d/%Y %H:%M:%S) to set your search to start on.

starttimeeu

Search from the specified date and time to the present expressed in European date/time format.

Syntax

starttimeeu=timestamp

Arguments

timestamp

Time (in a european timestamp format ie: %d/%m/%Y %H:%M:%S) to set your search to start on.

timeformat

Set time format for the starttime and endtime modifiers.

Note: Splunk searches have the default time format of: %m/%d/%Y:%H:%M:%S.

Syntax

timeformat=string

Arguments

string =

%m/%d/%Y:%H:%M:%S (default = %m/%d/%Y:%H:%M:%S).

Previous: Search modifiers | Next: Search commands

Comments

First, sorry this comment is a little long, but Im trying to give a complete answer.

One big note: This page is just describing the timeformat argument to the search command. Which specifies the timeformat that your starttime and endtime searchterms will follow.
Somewhat confusingly this argument will have no effect if you try and use it in the UI. So it's really only relevant to someone learning about the REST interface, or perhaps the CLI, but the CLI may also override user-specified timeformats like the UI does, im not sure.

Now, making the assumption that your question is about the UI, there are 4 areas where 24hr versus 12 hour strings appear in the UI.

-- The 2 main places where we use 12-hour timeforrmats are in what we generally call the results header, ie "1 result at 7 PM on Thursday July 17 2008",
and also the timeline itself, whose axis labels will always say 12-hour clock values whenever the timeline is showing hours.

-- And there are 2 other places, where we already show 24-hour clock values. First in the search results themselves and finally in the starttime and endtime searchterms that the product uses. (again which is the only one of the 4 that the documentation on this page is addressing)

Unfortunately whereas these last two are showing 24 hour format, and are even somewhat configurable, the timeformats for the first two (the results header and the timeline) both show 12-hour values, and are not configurable**.

Also, since the code around the results header and also the timeline each have to display a wide range of different types of time ranges, each one has a bunch of different timeformat strings that would have to be changed (part of the reason why we never got around to making these as configurable as the other simpler displays).
Nonetheless, if a developer or very-highly-motivated-personage wanted to change their install to show 24 hour values here, and they had some understanding of javascript (for the results header) and/or python (for the timeline strings), it could be done. All told, there's about 20 different timeformat strings, within each of which you'd have to change things like %l:%M %p into %H:%M.

I'll stop there, both cause there's not much else I can say besides filenames and line numbers, and also because I think if I give out filenames and line numbers, someone from support will come downstairs and administer a very well-justified beating.

So hope this helps. And we are working on making this totally configurable in the next big release.

** the one exception to these being non-configurable, is that if you use the european time formats with reversed day and month in literals.conf, both the results header strings and those in timeline are smart enough to notice this change, and they will respond by reversing the day/month order themselves.
Posted by nick on Jul 18 2008, 11:10am
How can you set a 24 hour clock in search results?
Posted by driekus on Jul 18 2008, 12:39am