Skip to main content

Specify narrow time ranges

SAF user interfaces use a default time range when you create a search. This range helps to avoid running searches with overly-broad time ranges that waste system resources and produce more results than you really need.

Whether you are running a new search, a report, or creating a dashboard, it is important to narrow the time range to only the dates or times that you really need. Time is also crucial for determining what went wrong. You often know when something happened, if not exactly what happened. Looking at events that happened around the same time that something went wrong can help correlate results and find the root cause of the problem.

When searching or saving a search, you can specify absolute and relative time ranges using the following time modifiers:

earliest=<start_time>  latest=<end_time>

Where:

  • earliest: Defines the initial time interval boundary for the search query.

  • latest: defines the end boundary of the search query time interval.

    Attention!

    These constructs are command arguments source. For more information, see here.

Time ranges and subsearches

To work with large search queries, it is important to understand how these time ranges affect the main search and subquery:

  1. Using a Time Filter: When you use the time range picker, the selected time range applies to both the main search and subsearches. However, this only happens if the time range is not explicitly specified in the search string.
  2. Specifying time ranges in the search bar: If a time range is specified directly in the search string, it applies only to that part of the query. This means that the time range in the search string will not extend to other parts of the main search or to the subquery.
  3. Impact of time ranges on main search and subquery:
    • Time ranges specified in the main search do not apply to the subquery.
    • Time ranges specified in subsearches apply only to the corresponding subsearch. This means that the time range specified in the subsearch does not affect the main search or other subqueries

Setting relative and absolute range

To define relative and absolute time when searching, you can use the graphical interface or special arguments on the command line.

source <source_name> earliest=<relative_start_date> latest=<relative_end_date>

arguments:

  • source <source_name>: Specifies the data source in which the search will be performed.
  • earliest=<relative_start_date>: Time range boundary (start).
  • latest=<relative_end_date>: Time range boundary (end).

Specify relative time ranges

You define the relative time in your search by using a string of characters that indicate the amount of time. The syntax is an integer and a time unit.

  1. Begin your string with a minus ( - ) or a plus ( + ) to indicate the offset before or after the time amount.
  2. Specify the amount of time by using a number and a time unit. When you specify single time amounts, the number is implied. For example s is the same as 1s, m is the same as 1m, and so on. The supported time units are listed in the following table.
    • s - Second
    • m - Minutes
    • h - Hours
    • d - Days
    • w - weeks
    • M - Months

Example

Search data between 24 hours and 23 hours ago:

source wineventlog-* earliest="-1d" latest="-23h"

Specify absolute time ranges

In SAF, an absolute range is used to define a specific time interval in which to search.

Example

В этом примере запроса указано выполнение поиска в логах из источника wineventlog-* за 1 марта 2024 года с начала дня (00:00) до конца того же дня.

source wineventlog-* earliest="2024-03-01T00:00:00" latest="2024-03-01T23:59:59"