In order to establish the search timeframe for Splunk there are 3 options that I know of.
Use the dropdown to the right of the Search box to choose pre-determined or custom timeframes.
After searching use the hit graph to select a new timeframe and zoom-in or zoom-out the timeframe.
Use the search parameters "earliest", "latest", or "now" for the search timeframe.
Options 1 and 2 are the most user-friendly way to select the timeframe, but option 3 is the best way to share a timeframe when passing splunk queries to others. The Problem is that most users will select their timeframe with the GUI options (1 and 2) but then they need to go through some effort to insert the timeframe into their query if they want to share it.
Improvement Suggestion:
We need to add a quick link, button, or other trigger that will take the current timeframe of the search and enter it into the search string. For example I might use the time dropdown to select the last 24 hours, which might be fromt he current time of 7/12/2012 11:00:00 to 7/11/2012 11:00:00. Then I want to share this search with a friend so I click the handy time-insert link and the text earliest="7/11/2012:11:00:00" to latest="7/12/2012 11:00:00" is inserted into my search string permanently framing my search timeframe.
Splunk already does this for search results. Click something in the search results and it is added and researched immediately. Splunk should be able to do the same for the timeframe.
Benefits:
This will definitely save Splunk users a significant amount of time. Even if you have a saved string with "earliest" and "latest" times already saved off you still have to fumble around for about 30 seconds or more finding it, copy/pasting, and editing your time for a new search. Otherwise people are sending queries without timeframe included and there is multiple communication minutes lost going back and forth to get the correct timeframe across to the users.
Estimated Hours/Month Savings per Individual:
Hard to estimate, but several minutes per users of Splunk must be high.
... View more