Search code examples
splunksplunk-querysplunk-dashboard

Is the a way to customize Splunk's time range selector?

While querying in Splunk, we have the Time range selection drop-down on the right-hand side.

Range drop down

When selecting the range If find myself copying and pasting 4 times usually.

  1. From date
  2. From time
  3. To date
  4. To time

I have to do this several times daily - I find it super annoying!

My question(s):

  • Is there a way to customize the Splunk range selector?
  • Or Is there a more effective way to do such queries?
Solution

  • A different approach is to ignore the date range selector and use Date range queries.

    The following can be added to a query.

    earliest="10/15/2019:20:00:00" latest="10/22/2019:20:00:00"

    See the documentation for more information.

    Some handy examples from the documentation

    To search for data from now and go back in time 5 minutes

    earliest=-5m.

    To search for data between 2 and 4 hours ago

    earliest=-4h latest=-2h.

    To search for data using an exact date range, such as from October 15 at 8 PM to October 22 at 8 PM

    timeformat %m/%d/%Y:%H:%M:%S

    Or with specify dates like

    earliest="10/15/2019:20:00:00" latest="10/22/2019:20:00:00"

    To search for data from the beginning of today (12 AM or midnight)

    use earliest=@d

    The @ symbol is referred to as the snap to and d is the time unit.

    Finally, To search for data from the beginning of today (12 AM or midnight) and apply a time offset of -2h

    earliest=@d-2h