A search query can either have a fixed start and end date, where you cannot refresh data, or a time range that captures the most recent data. For example, if you choose the predefined Last 30 minutes setting, Recon updates data upon reexecuting the search based on the most recent 30 minutes. Alternatively, you can create a dynamic date range.
Search offers a flexible, dynamic setting for the time range where you can enter the desired time stamp without using the calendar to specify days, hours, and minutes. The dynamic date range uses the following syntax:
<dynamic_time>
or
<dynamic_time> [+/- <units>]
For example, to search for events that have occurred in the last two hours, you can specify $Now – 2h for Start time and $Now for End time. To find events that have occurred this week, you can enter $CurrentWeek for Start time and $Now for End time.
To enter a dynamic date range:
When viewing a search or starting a query, select the currently specified time range.
For the start or end time under Custom Range, select Dynamic.
To specify the dynamic_time, enter one of the following values:
|
Value |
Represents |
|---|---|
|
$Now |
The current minute |
|
$Today |
Midnight of the current day |
|
$CurrentWeek |
Midnight of the previous Monday (or same as $Today if today is Monday) |
|
$CurrentMonth |
Midnight on the first day of the current month |
|
$CurrentYear |
Midnight on the first day of the current year |
To specify the units, enter one of the following values:
|
Value |
Represents |
|---|---|
|
m (lowercase) |
Minutes |
|
h |
Hours |
|
d |
Days |
|
w |
Weeks |
|
M (uppercase) |
Months |
Searches for events in a time range are based on the timestamps of matching events and use the time zone of the local browser. The time range criteria applies to the Normalized Event Time (NET) rather than the Event Time. NET replaces illogical Event Time values with Persisted Time to correct the incorrect Event Times. You might need to account for the time zone offset from UTC and from other time zones, including Daylight Savings Time. The time range that you specify in the time range selector is inclusive. Search includes the whole second as the end time. For example, if you specify a time range between 2018-01-01 12:00:00 and 2018-01-01 12:59:59, Search includes all data from 2018-01-01 12:00:00.000 to 2018-01-01 12:59:59.999, inclusive.
For searches that you create in a different time zone, the Events Timeline converts the time segments to local times. If the Events table includes a time attribute, Search converts the time to local time. However, the aggregation reflects the original time zone. For example, if the Events Timeline has seven bars in the original time zone, the number of bars could increase or decrease to reflect the current time zone.