An event is timestamped with the receipt time when it is received on the Logger. By default, a search query uses the receipt time to search for matching events. However, user can also use the event time as a search option.
Under most circumstances, the Logger receipt time is same as the event time. However, the event time and the Logger receipt time for an event can be different because there is usually a small lag between the time an event leaves a device and it is received at the Logger. If the device’s clock is ahead or behind the Logger clock, the lag or lead can be significant.
A search operation requires you to specify the time range within which events would be searched. You can select from many predefined time ranges or define a custom time range to suit your needs.
When defining a time range for your query, be sure to take the information in Impact of Daylight Savings Time Change on Logger Operations into consideration.
Predefined time range: When you select a predefined time range such as “Last 2 Hours” or “Today”, the time range is relative to the current time. For example, if you select “Last 2 Hours” at 2:00:00 PM on July 13th, events from 12:00:00 to 2:00:00 PM on July 13th will be searched. If you refresh your search results at 5:00:00 PM on the same day, the time window is recalculated. Therefore, events that match the specified criteria and occurred between 3:00:00 and 5:00:00 PM on July 13th are displayed.
Custom time range: You can specify a time range in a 24-hour format to suit your needs. For example, a custom time range is:
Start: 8/13/2020 13:36:30
End: 8/13/2020 22:36:30
By default, the end time for a custom time range is the current time on your Logger and the start time is two hours before the current time. You can also use variables to specify custom time ranges.
Dynamic time range: The dynamic search is relative to the time the query is run. Scheduled search operations use this mechanism to search through newer event data each time they are run. A dynamic date range might start at $Now - 2h (two hours ago) and end at $Now (the current time).
The “Dynamic” field in the user interface enables you to specify the dynamic time. Following is a typical example of a dynamic search that limits results to the last two hours of activity:
Start: $Now - 2h
End: $Now
The syntax for dynamic search is:
<current_period> [ +/- <units>]
In the Search page, the Selected Time range allows you to see how the dynamic time is reflected in your search. Logger basically converts the $Now to a mm/dd/yy:hh/mm/ss format that allows you to see the exact times used for the search execution.
Where <current_period>, such as $Now, either stands alone or is followed by either a plus (‘+’) or minus (‘-’) and a number of units, such as 2h for two hours. The <current_period> always starts with a ‘$’ and consists of a word, case-sensitive, with no spaces, as shown in the table Current Period. The <units> portion, if given, consists of an integer and a single, case-sensitive letter, as shown in the table Units.
|
Period |
Description |
|---|---|
|
|
The current minute |
|
|
Midnight (the beginning of the first minute) of the current day |
|
|
Midnight of the previous Monday (or same as $Today if today is Monday) |
|
|
Midnight on the first day of the current month |
|
|
Midnight on the first day of the current year |
|
Unit |
Description |
|---|---|
|
|
Minutes (Do not confuse with ‘M’, meaning months) |
|
|
Hours |
|
|
Days |
|
|
Weeks |
|
|
Months (Do not confuse with ‘m’, meaning minutes) |
See Also