Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to manipulate time range picker using just a seach query?

wagnerbianchi
Splunk Employee
Splunk Employee
‎11-20-2012 04:24 AM

Since some days ago I was thinking a way to manipulate the "time range picker" or even the period to retrieve data from Splunk just using a query on Search App. Is it possible?

I will appreciate any hints on that, thank you.

Tags (2)
0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎11-20-2012 04:42 AM

Yes, you may override the time range picker value in the search syntax itself. For example, to search for the last 5 minutes, regardless of time range picker value:

sourcetype=foo index=bar host=baz earliest=-5m

There is a list of relative time modifiers that details all the options.

Note: This technique will create a notification to the user that the time range pickers was overridden.

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 04:40 AM

You can use inline time modifiers. For example: to search 2 days ago until 1 day ago, you can use this inline with your other searchterms:

sourcetype=foo earliest=-2d@d latest=-1d@d|other_commands

You can read more on Time Modifiers here: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchTimeModifiers

Reply

sowings
Splunk Employee
Splunk Employee
‎11-20-2012 04:39 AM

You can use the earliest and latest keywords in your search (they have to be before the first pipe | character) to change the time range. This doesn't update the shown label of the time range picker, though.

See here for more information.

Reply

sowings
Splunk Employee
Splunk Employee
‎11-20-2012 04:47 AM

Heh, this one was a foot race!

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 04:40 AM

darn you! 😄

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...