Searching specific time ranges
When you create a search, try to specify only the dates or times that you're interested in. Specifying a narrow time range is a great way to filter the data in your dataset and to avoid producing more results than you really need.
To specify a time range in your search syntax, you use the earliest and latest time modifiers. You can specify an exact time such as earliest="10/5/2019:20:00:00", or a relative time such as earliest=-h or latest=@w6.
| Modifier | Syntax | Description |
|---|---|---|
| earliest |
earliest=[+|-]
|
Specify the earliest _time for the time range of your search.
Use earliest=1 to specify the UNIX epoch time 1, which is UTC January 1, 1970 at 12:00:01 AM.
|
| latest |
latest=[+|-]
|
Specify the latest time for the _time range of your search.
If you omit latest, the current time (now) is used.
|
Here are some examples:
- To search for data from now and go back in time 5 minutes, use
earliest=-5m. - To search for data from now and go back 40 seconds, use
earliest=-40s. - To search for data between 2 and 4 hours ago, use
earliest=-4h latest=-2h. - To search for data using an exact date range, such as from October 15 at 8 PM to October 22 at 8 PM, use the timeformat
%m/%d/%Y:%H:%M:%Sand specify dates likeearliest="10/15/2019:20:00:00" latest="10/22/2019:20:00:00" - To search for data from the beginning of today (12 AM or midnight) use
earliest=@d. The @ symbol is referred to as the snap to anddis the time unit. - To search for data from the beginning of today (12 AM or midnight) and apply a time offset of -2h, use
earliest=@d-2h. This results in an earliest time of 10 PM yesterday.
Here's an example of using a time range in a search that goes back 5 minutes, snapping to the beginning of the minute. The end of the time range is the beginning of the current minute.
| from main where earliest=-5m@m and latest=@mFor more information about time modifiers, see Time modifiers.
Next step
See Combining commands.