While querying in Splunk, we have the Time range selection drop-down on the right-hand side.
When selecting the range If find myself copying and pasting 4 times usually.
I have to do this several times daily - I find it super annoying!
My question(s):
On
I personally like it to use following time selection
earliest=@d+7h latest=@d+9h
Now if you do testing, you have all the time the same time range because it is limited with an absolut time end by latest. Otherwise you may look always til now. If you have a busy index you may want to use something like
earliest=@d+7h latest=@d+7h+2m
If the time range you select each time of the day follow a pattern, you can do it.
Instead of selecting the actual date and time, go to the option for Advanced, and then enter a relative time. Eg: midnight till current time. Earliest: @d latest: now
Last 2 hr Earliest: -2h latest: now
And then, once the query runs, copy or bookmark the full url from your browser address bar. (This will have the time ranges selected also).
If the time range you select each time are random and don’t follow a pattern, it’s hard to do that.
A different approach is to ignore the date range selector and use Date range queries.
The following can be added to a query.
See the documentation for more information.
Some handy examples from the documentation
To search for data from now and go back in time 5 minutes
To search for data between 2 and 4 hours ago
To search for data using an exact date range, such as from October 15 at 8 PM to October 22 at 8 PM
Or with specify dates like
To search for data from the beginning of today (12 AM or midnight)
The @ symbol is referred to as the snap to and d is the time unit.
Finally, To search for data from the beginning of today (12 AM or midnight) and apply a time offset of -2h