Assign the end of the search time interval to the field provided
by parameter as.
The time is represented as milliseconds since January 1, 1970
(UTC). In live queries (where the search time interval is
forever moving), end() is equivalent to
now() — that is, the current time.
Note
The parser does not have a search interval; therefore, it does
not make sense to use the end() query
function here.
Click + next to an example below to get the full details.
Assign End of Search Time Interval to Field - Example 1
Assign the end of the search time interval to a field using the end() function
Query
logscale
e:=end()
Introduction
In this example, the end() function is used to
assign the end of the search time interval to a field named
e.
Step-by-Step
Starting with the source repository events.
logscale
e:=end()
Assigns the value of end to a
new field named e.
Event Result set.
Summary and Results
The query is used to assign the end of the search time interval to a
specified field. Assigning end of search time interval to a field is
useful when, for example, searching for security events. When doing a
query, the events you are searching do not know the span of the search
(the system just returns a list of the events in the given time
interval), but you might want to show the relative time of the event
timestamp compared to the search window. For example, if you search of a
bunch of events that happened yesterday and you are searching from
yesterday 00:00 to 23:59, you then want to calculate
'3 hours before' or even '2s before' because when searching for security
events that time difference may be important.
Assign End of Search Time Interval to Field - Example 2
Assign the end of the search time interval to a field using the end() function in a comparison
Query
logscale
isOld:=(end()-@timestamp)>1000
Introduction
In this example, the end() is used to compare the
difference between the end time and the @timestamp
field to determine if an event is "old" (more than 1000 milliseconds
old).
Step-by-Step
Starting with the source repository events.
logscale
isOld:=(end()-@timestamp)>1000
Returns results where the current time minus the ingestion timestamp
are greater than 1000, and assigns the returned
results to a new field named
isOld.
In more details: end() returns the end time of
the search interval. @timestamp is the timestamp
of the individual
event.(end()-@timestamp) calculates
the difference between these two times, giving the age of the event
relative to the end of the search interval. This difference is
compared to 1000 milliseconds (1 second). If the
difference is greater than 1000 milliseconds,
isOld will be set to
true; otherwise, it will be
false.
Event Result set.
Summary and Results
The query is used to quickly identifying events that are more than 1
second older than the end of the search interval. Assigning end of
search time interval to a field is useful when, for example, searching
for security events. When doing a query, the events you are searching do
not know the span of the search (the system just returns a list of the
events in the given time interval), but you might want to show the
relative time of the event timestamp compared to the search window. For
example, if you search of a bunch of events that happened yesterday and
you are searching from yesterday 00:00 to 23:59, you
then want to calculate '3 hours before' or even '2s before' because when
searching for security events that time difference may be important.
