https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103530#M21770 <P>I need a query that will extract all log data between (say) 10:00 PM and 10:00 AM. What is the best way to accomplish this?</P> <P>TIA</P> Tue, 17 May 2011 17:01:27 GMT DTERM 2011-05-17T17:01:27Z https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103530#M21770 <P>I need a query that will extract all log data between (say) 10:00 PM and 10:00 AM. What is the best way to accomplish this?</P> <P>TIA</P> Tue, 17 May 2011 17:01:27 GMT https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103530#M21770 DTERM 2011-05-17T17:01:27Z https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103531#M21771 <PRE><CODE> index=* earliest=05/16/2011:22:0:0 latest=05/17/2011:10:0:0 </CODE></PRE> <P><A href="http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch">http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch</A></P> <P>Specify absolute time ranges in your search</P> <P>When searching or saving a search, you can specify time ranges using the following attributes:</P> <PRE><CODE>earliest=&lt;time_modifier&gt; latest=&lt;time_modifier&gt; </CODE></PRE> <P>For exact time ranges, the syntax of time_modifier is: %m/%d/%Y:%H:%M:%S. For example, to specify a time range from 12AM October 19, 2009 to 12AM October 27, 2009:</P> <PRE><CODE>earliest=10/19/2009:0:0:0 latest=10/27/2009:0:0:0 </CODE></PRE> <P>If you specify only the "earliest" attribute, "latest" is set to the current time (now) by default. In general, you won't specify "latest" without an "earliest" time.</P> <P>Important: When you specify a time range in your search or saved search, it overrides the time range that is selected in the dropdown menu. However, the time range specified directly in the search string will not apply to subsearches (but the dropdown selected range will apply). </P> Tue, 17 May 2011 17:06:46 GMT https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103531#M21771 jbsplunk 2011-05-17T17:06:46Z https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103532#M21772 <P>can earliest only be time or does it have to include date? because the only way i find myself to search time range across differents dates is to use a search which says :</P> <P>date_hour &gt; 23 OR date_hour &lt; 11 and then select a date range in the dropdown menu</P> Mon, 28 Sep 2020 09:34:23 GMT https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103532#M21772 MarioM 2020-09-28T09:34:23Z https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103533#M21773 <P>It does not have to include a date. Relative time modifiers can be used as per the documentation here:</P> <P><A href="http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch#Syntax_for_relative_time_modifiers">http://www.splunk.com/base/Documentation/latest/User/ChangeTheTimeRangeOfYourSearch#Syntax_for_relative_time_modifiers</A></P> <P>so something like 'earliest=@d-2h' specifies 10PM, for example.</P> Tue, 17 May 2011 17:34:40 GMT https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103533#M21773 jbsplunk 2011-05-17T17:34:40Z https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103534#M21774 <P>thanks! for the original question example it will be something like</P> <P>'earliest=@d-2h latest=@d+10' ?</P> Tue, 17 May 2011 17:47:05 GMT https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103534#M21774 MarioM 2011-05-17T17:47:05Z https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103535#M21775 <P>That ought to do it.</P> Tue, 17 May 2011 17:53:08 GMT https://community.splunk.com/t5/Getting-Data-In/query-for-time/m-p/103535#M21775 jbsplunk 2011-05-17T17:53:08Z