The start() function assigns a timestamp to an output field specified by the as parameter. This timestamp represents the beginning of the search time interval in milliseconds since January 1, 1970 (UTC).

For live queries (where the search time interval is forever moving), start() equals the current time minus the search interval.

For subqueries in defineTable() or joins, start() equals the start time of the subquery's search interval.

Note

The start() function is not compatible with parser operations because parsers do not use search intervals.

ParameterTypeRequiredDefault ValueDescription
as[a]stringoptional[b] _start Name of output field.

[a] The parameter name as can be omitted.

[b] Optional parameters use their default value unless explicitly set.

Hide omitted argument names for this function

Show omitted argument names for this function

start() Syntax Examples

Assign s the value of start():

logscale
s := start()

Use start() in an assignment:

logscale
isOld := (@timestamp - start()) < 1000

start()Examples

Click + next to an example below to get the full details.

Search Relative Time to Query Execution

Writing a query that is executed against a time range relative to when the query is executed using the start() function

Query
logscale
test(@timestamp < (start() + (30*24*60*60*1000)))
Introduction

In this example, the start() function is used to test if the @timestamp field is less than (earlier than) the start time plus 30 days.

Step-by-Step

  1. Starting with the source repository events.

  2. logscale
    test(@timestamp < (start() + (30*24*60*60*1000)))

    Tests whether the @timestamp for an event is less than the start time of the query. The query start time is returned by the start() function.

    To work out the relative time, we add the explicit number of milliseconds by calculating the number of milliseconds in the specified number of days, in this case, 30.

    Time calculation breakdown is as follows:

    30 (days)

    × 24 (hours)

    × 60 (minutes)

    × 60 (seconds)

    × 1000 (milliseconds)

    = 2,592,000,000 milliseconds (30 days)

  3. Event Result set.

Summary and Results

The query is used to filter events that occurred within the first 30 days after the start time.

The query is a practical way of querying with a relative time from the query execution. The 30 days (and calculation) used in the example could be updated with any time calculation to achieve the required result.