Yes, you may override the time range picker value in the search syntax itself. For example, to search for the last 5 minutes, regardless of time range picker value:
sourcetype=foo index=bar host=baz earliest=-5m
There is a list of relative time modifiers that details all the options.
Note: This technique will create a notification to the user that the time range pickers was overridden.
You can use inline time modifiers. For example: to search 2 days ago until 1 day ago, you can use this inline with your other searchterms:
sourcetype=foo earliest=-2d@d latest=-1d@d|other_commands
You can read more on Time Modifiers here: http://docs.splunk.com/Documentation/Splunk/5.0/SearchReference/SearchTimeModifiers
You can use the earliest
and latest
keywords in your search (they have to be before the first pipe | character) to change the time range. This doesn't update the shown label of the time range picker, though.
See here for more information.
Heh, this one was a foot race!
darn you! 😄