Skip to main content
Version: 4.3

Specify narrow time ranges

Smart Monitor provides a wide range of functional capabilities for data analysis and processing. One of the important features available to users is the ability to set a time range within a search query. This feature allows analysts to more precisely define the timeframe for data analysis, which contributes to obtaining more relevant results.

When searching or saving a search, you can specify absolute and relative time ranges using the following time modifiers:

earliest=<start_time>  latest=<end_time>

Where:

  • earliest: Defines the initial time interval boundary for the search query

  • latest: defines the end boundary of the search query time interval

    warning

    These constructs are command arguments source. For more information, see here.

Time ranges and subsearches

To work with large search queries, it is important to understand how these time ranges affect the main search and subquery:

  1. Using a Time Filter: When you use the time range picker, the selected time range applies to both the main search and subsearches. However, this only happens if the time range is not explicitly specified in the search string
  2. Specifying time ranges in the search bar: If a time range is specified directly in the search string, it applies only to that part of the query. This means that the time range in the search string will not extend to other parts of the main search or to the subquery
  3. Impact of time ranges on main search and subquery:
    • time ranges specified in the main search do not apply to the subquery
    • time ranges specified in subsearches apply only to the corresponding subsearch. This means that the time range specified in the subsearch does not affect the main search or other subqueries

Setting relative and absolute range

To define relative and absolute time when searching, you can use the graphical interface or special arguments on the command line.

source <source_name> earliest=<relative_start_date> latest=<relative_end_date>

arguments:

  • source <source_name>: Specifies the data source in which the search will be performed
  • earliest=<relative_start_date>: Time range boundary (start)
  • latest=<relative_end_date>: Time range boundary (end)

Specify relative time ranges

You define the relative time in your search by using a string of characters that indicate the amount of time. The syntax is an integer and a time unit.

  1. Begin your string with a minus ( - ) or a plus ( + ) to indicate the offset before or after the time amount
  2. Specify the amount of time by using a number and a time unit. When you specify single time amounts, the number is implied. For example s is the same as 1s, m is the same as 1m, and so on. The supported time units are listed in the following table:
    • s - Second
    • m - Minutes
    • h - Hours
    • d - Days
    • w - weeks
    • M - Months

Example

The following is an example of using a relative range to search for data from 1 hour of the previous day:

source winlog_auth earliest="-1d" latest="-23h"

As a result, we obtain the following data:

Appearance of the Quick Select position

Absolute interval

In Smart Monitor, an absolute range is typically used to define a specific time interval within which a data search or aggregation needs to be performed. This is important when you want to limit the search to a specific time period only.

Example

source winlog_auth earliest="2024-03-01T00:00:00" latest="2024-03-01T23:59:59"

In this query example, the search is specified to be performed in logs from the winlog_auth source for March 1, 2024, from the start of the day (00:00) to the end of the same day.

Appearance of the Quick Select position