Reputation: 11215
Is the a way to customize Splunk's time range selector?
While querying in Splunk, we have the Time range selection drop-down on the right-hand side.
When selecting the range If find myself copying and pasting 4 times usually.
- From date
- From time
- To date
- To time
I have to do this several times daily - I find it super annoying!
My question(s):
- Is there a way to customize the Splunk range selector?
- Or Is there a more effective way to do such queries?
Upvotes: 1
Views: 1173
Answers (3)
Reputation: 112
I personally like it to use following time selection
earliest=@d+7h latest=@d+9h
Now if you do testing, you have all the time the same time range because it is limited with an absolut time end by latest. Otherwise you may look always til now. If you have a busy index you may want to use something like
earliest=@d+7h latest=@d+7h+2m
Upvotes: 2
Reputation: 11
If the time range you select each time of the day follow a pattern, you can do it.
Instead of selecting the actual date and time, go to the option for Advanced, and then enter a relative time. Eg: midnight till current time. Earliest: @d latest: now
Last 2 hr Earliest: -2h latest: now
And then, once the query runs, copy or bookmark the full url from your browser address bar. (This will have the time ranges selected also).
If the time range you select each time are random and don’t follow a pattern, it’s hard to do that.
Upvotes: 1
Reputation: 11215
A different approach is to ignore the date range selector and use Date range queries.
The following can be added to a query.
earliest="10/15/2019:20:00:00" latest="10/22/2019:20:00:00"
See the documentation for more information.
Some handy examples from the documentation
To search for data from now and go back in time 5 minutes
earliest=-5m.
To search for data between 2 and 4 hours ago
earliest=-4h latest=-2h.
To search for data using an exact date range, such as from October 15 at 8 PM to October 22 at 8 PM
timeformat %m/%d/%Y:%H:%M:%S
Or with specify dates like
earliest="10/15/2019:20:00:00" latest="10/22/2019:20:00:00"
To search for data from the beginning of today (12 AM or midnight)
use earliest=@d
The @ symbol is referred to as the snap to and d is the time unit.
Finally, To search for data from the beginning of today (12 AM or midnight) and apply a time offset of -2h
earliest=@d-2h
Upvotes: 4
Related Questions
- Splunk: How to get a timechart regarding the extracted _time values for which range() was applied?
- Splunk Enterprise: Exclude certain time ranges for a bigger time range
- Changing panel time for splunk dashboard studio irrespective of the global timing
- Splunk - Assigning custom time
- Splunk panel showing graph for a specific time range
- In splunk is there a way to prepopulate the time input field with values for another token?
- How to get splunk report for different time ranges
- Display Splunk Timechart in Local Time
- Splunk query substract time
- How do I change the timespan in a splunk timechart report?