Splunk Searching with Time 2

In this section, we are going to learn How to use timestamp in Splunk and how we can search for better results in our Splunk dataset with the help of appropriate time.

Using Advanced time range options

We are using Advanced to set the earliest and latest search times. Relative time notation, such as -3d@d, can be written in. The time value of UNIX, which we type, is translated to local Time.

The UNIX time or relative Time we indicate is displayed under the text field as a timestamp so we can check our entry.

The list of Preset Time ranges customization.

The time range picker in Splunk Web can be tailored to the set of time ranges that exist in the Presets list. We can build an existing time range, or we can mask time ranges.

Create a time frame based on an existing timeline

To build a new time period, the best way is to use a current time period as the basis for a new time range. The Relative time period list, for example, includes the Last 15 minutes time range. We want to build the last 30 minutes with a time limit. We start by creating a duplicate of the Last 15 minutes time span, or clone. We change the Earliest setting inside the clone from -15min to -30min. From the Settings, under the Knowledge list, select the User interface option.

1. Pick Time Ranges in the User Interface pane.
2. Locate the time period We want to use.
3. In the Actions column, click clone.
4. There is a copy of the time-specifications. Make changes to the Time-span requirements and press Save.

The new time range shows up in the Presets menu in the Relative column.

Create a new Preset time range

The Presets menu will create a new time. For example, We want to build a time range which shows searches from 12:00 to 15:00 hours yesterday. In the fields Earliest and Latest, We will state relative times. In the sector Earliest We say -1d@d+12h. We say -1d@d+15h in the sector Latest.

1. From the Settings menu, select the User interface under the Knowledge list.
2. In User Interface, click on the Time ranges
3. Click
   on the New option.
4. Fill the fields in the Add New window section and then click on the Save

The new time range is shown in the Relative list, which is present in the Presets menu.

In presets list hide a time range

1. From the Settings, in the Knowledge list, select the User interface.
2. In the User Interface window, select Time ranges.
3. Locate the time range. We want to hide in the Status column click Disable.

Setting default time ranges for the API or CLI.

When setting a time range for a REST API endpoint or the command-line interface ( CLI), We can set time ranges manually in the times.conf file.

Open a Support ticket if We are using Splunk Cloud and want to either cover a time range or build a new time range.

Change the default time range.

In the Search & Reporting app, the default time limit for ad hoc searches is set to the Last 24 hours. An administrator, across all devices, can set the default time range globally.

Specify time modifiers in your search

We can determine absolute and relative time ranges while searching or saving a search using the following time alterers:

For example, an absolute time-span uses different dates and times from 12 AM 1 November 2020-12 AM 13 November 2002.

A relative time period depends on when the quest is going. A corresponding time period of -60 m, for example, means 60 minutes ago. The quest returns events from the last 60 minutes, or 2 PM, if the current Time is 3 PM By 3 PM Today ... Today.

The current Time is known as "now."

A time range defined by We in the search bar, or in a saved search, overrides the time range selected in the time range picker.

For instance, if We specify a time range of the Last 24 hours in the Time Range Picker and specify earliest=-30 m latest = now in the Search bar, the search only looks for events that have a time mark within the last 30 minutes.

This refers to all of the options that We can choose in the Time Range Picker, but this does not apply to sub searches.