The reltime Splunk command is used to create a relative time field called reltime. It shows the time value in a format that humans can read, relative to current time. The time in reltime would appear as 2 hours ago, 3 days ago, 1 month ago, and so on.

The syntax for the reltime command is as follows:

… | reltime

Refer to the following example for better clarity:

index=_internal |reltime

As shown in the preceding screenshot, reltime creates a more user friendly and human readable format output of relative time, which can be used in analytics and visualizations.

The localize command is used to create a list of time ranges in which the results have occurred.

The syntax for the localize command is as follows:

localize maxpause

The maxpause parameter can be used to specify the maximum time between two consecutive events for a given time period. The default value for this parameter is 1 minute.

Mentioned as follows is an example of the localize command:

index=_internal |localize maxpause=5m

The preceding Splunk query will return all the events within a five minute time range.