Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Is there a way to manipulate time range picker using just a seach query?

wagnerbianchi
Splunk Employee
Splunk Employee
‎11-20-2012 04:24 AM

Since some days ago I was thinking a way to manipulate the "time range picker" or even the period to retrieve data from Splunk just using a query on Search App. Is it possible?

I will appreciate any hints on that, thank you.

Tags (2)
0 Karma
Reply

bwooden
Splunk Employee
Splunk Employee
‎11-20-2012 04:42 AM

Yes, you may override the time range picker value in the search syntax itself. For example, to search for the last 5 minutes, regardless of time range picker value:

sourcetype=foo index=bar host=baz earliest=-5m

There is a list of relative time modifiers that details all the options.

Note: This technique will create a notification to the user that the time range pickers was overridden.

Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 04:40 AM

You can use inline time modifiers. For example: to search 2 days ago until 1 day ago, you can use this inline with your other searchterms:

sourcetype=foo earliest=-2d@d latest=-1d@d|other_commands

You can read more on Time Modifiers here: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchTimeModifiers

Reply

sowings
Splunk Employee
Splunk Employee
‎11-20-2012 04:39 AM

You can use the earliest and latest keywords in your search (they have to be before the first pipe | character) to change the time range. This doesn't update the shown label of the time range picker, though.

See here for more information.

Reply

sowings
Splunk Employee
Splunk Employee
‎11-20-2012 04:47 AM

Heh, this one was a foot race!

0 Karma
Reply

alacercogitatus
SplunkTrust
SplunkTrust
‎11-20-2012 04:40 AM

darn you! 😄

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...