In order to establish the search timeframe for Splunk there are 3 options that I know of.
Options 1 and 2 are the most user-friendly way to select the timeframe, but option 3 is the best way to share a timeframe when passing splunk queries to others. The Problem is that most users will select their timeframe with the GUI options (1 and 2) but then they need to go through some effort to insert the timeframe into their query if they want to share it.
Improvement Suggestion:
We need to add a quick link, button, or other trigger that will take the current timeframe of the search and enter it into the search string. For example I might use the time dropdown to select the last 24 hours, which might be fromt he current time of 7/12/2012 11:00:00 to 7/11/2012 11:00:00. Then I want to share this search with a friend so I click the handy time-insert link and the text earliest="7/11/2012:11:00:00" to latest="7/12/2012 11:00:00" is inserted into my search string permanently framing my search timeframe.
Splunk already does this for search results. Click something in the search results and it is added and researched immediately. Splunk should be able to do the same for the timeframe.
Benefits:
This will definitely save Splunk users a significant amount of time. Even if you have a saved string with "earliest" and "latest" times already saved off you still have to fumble around for about 30 seconds or more finding it, copy/pasting, and editing your time for a new search. Otherwise people are sending queries without timeframe included and there is multiple communication minutes lost going back and forth to get the correct timeframe across to the users.
Estimated Hours/Month Savings per Individual:
Hard to estimate, but several minutes per users of Splunk must be high.
I think that this is an interesting enhancement idea.
For the short term, know that you can "Save & Share Results" from the Save menu / button of the search view. This actually persists the search artifacts (results) of your search, and you can publish the link to your colleagues. Because it's just referencing the contents of a search which has already run, the time frame for the given report is "frozen", but the search bar's contents is the content of the search string. This allows your colleagues to then re-run the search on their own, but over a different time frame if desired, giving you the best of both worlds. They can use your initial search (cheaply--it's already been run!) as a launching point to continue their own search.
I think that this is an interesting enhancement idea.
For the short term, know that you can "Save & Share Results" from the Save menu / button of the search view. This actually persists the search artifacts (results) of your search, and you can publish the link to your colleagues. Because it's just referencing the contents of a search which has already run, the time frame for the given report is "frozen", but the search bar's contents is the content of the search string. This allows your colleagues to then re-run the search on their own, but over a different time frame if desired, giving you the best of both worlds. They can use your initial search (cheaply--it's already been run!) as a launching point to continue their own search.