Specifying time spans

Some SPL2 commands include an argument where you can specify a time span, which is used to organize the search results by time increments. The GROUP BY clause in the from command, and the bin, stats, and timechart commands include a span argument.

The time span can contain two elements, a time unit and timescale:

  • A time unit is an integer that designates the amount of time, for example 5 or 30.
  • A timescale is word or abbreviation that designates the time interval, for example seconds, minutes, or hours.

When you specify a time span, the timescale is required. If no time unit is specified, 1 is used as the default time unit. For example if you specify min, 1 minute is used.

Supported timescales

The supported timescale intervals are listed in the following table:

Timescale interval Valid abbreviations
second s, sec, secs, second, seconds
minute m, min, minute, minutes
hour h, hr, hrs, hour, hours
day d, day, days
week w, week, weeks
month mon, month, months
quarter q, qtr, qtrs, quarter, quarters
year y, yr, yrs, year, years

Default time span

If you use the predefined time ranges in the Time Range Picker, and do not specify a span argument, the following table shows the default spans that are used:

Time range Default time span
Last 15 minutes 10 seconds
Last 60 minutes 1 minute
Last 4 hours 5 minutes
Last 24 hours 30 minutes
Last 7 days 1 day
Last 30 days 1 day
Previous year 1 month

Examples of specifying time spans

The following table shows how to specify time spans in various SPL2 commands:

Command Description Example
GROUP BY clause

in the from command

This search returns web access error information, grouped by host in 5 minute time spans.

There are several ways to specify a time span with the GROUP BY clause, see from command syntax details. 

SELECT count(), host, _time 
FROM index 
WHERE sourcetype="webaccess" 
  AND `ERROR` 
GROUP BY host, span(_time, 5m)
bin This example sets the span to 12 hour intervals and aligns the bins to 3am (local time). The bins will represent 3am - 3pm, then 3pm - 3am (the next day), and so on. The results are set into bins based on the _time field. 
...| bin span=12h aligntime=@d+3h 
_time
stats This example counts the values in the action field and organized the results into 30 minute time spans.

When you use the span argument, the field you use in the <by-clause> must be either the _time field, or another field with values in UNIX time. 

...| stats count(action) AS count BY 
_time span=30m