Assign the start of the search time interval to the field provided by parameter as.

The time is represented as milliseconds since January 1, 1970 (UTC). In live queries (where the search time interval is forever moving), start() is the current time minus the width of the search interval.

Note

The parser does not have a search interval; therefore, it does not make sense to use the start() query function here.

ParameterTypeRequiredDefaultDescription
as[a]stringoptional[b]_start Name of output field.

[a] The argument name as can be omitted.

[b] Optional parameters use their default value unless explicitly set

Omitted Argument Names

The argument name for as can be omitted; the following forms of this function are equivalent:

logscale
start("_start")

and:

logscale
start(as="_start")

These examples show basic structure only; full examples are provided below.

start() Examples

Assign s the value of start():

logscale
s := start()

Use start() in an assignment:

logscale
isOld := (@timestamp - start()) < 1000

Search Relative Time to Query Execution

Query
flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00;
logscale
test(@timestamp < (start() + (30*24*60*60*1000)))
Introduction

If you want to be able to execute a query that executes against a time range relative to when the query is executed, for example,

Step-by-Step
  1. Starting with the source repository events

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;

    Tests whether the @timestamp for an event is less than the start time of the query. The query start time is returned by the start() function. To work out the relative time, we add the explicit number of milliseconds by calculating the number of milliseconds in the specified number of days, in this case, 30.

    logscale
    test(@timestamp < (start() + (30*24*60*60*1000)))
  3. Event Result set

Summary and Results

The query is a practical way of querying with a relative time from the query execution. The 30 days (and calculation) used in the example could be updated with any time calculation to achieve the required result.