Assign the start of the search time interval to the field provided by
parameter as
.
The time is represented as milliseconds since January 1, 1970 (UTC). In
live queries (where the search time interval is forever moving),
start()
is the current time minus the width of the
search interval.
Note
The parser does not have a search interval; therefore, it does not make
sense to use the start()
query function here.
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
as
can be omitted; the following forms of this function are equivalent:logscale Syntaxstart("value")
and:
logscale Syntaxstart(as="value")
These examples show basic structure only.
start()
Examples
Assign s the value of
start()
:
s := start()
Use start()
in an assignment:
isOld := (@timestamp - start()) < 1000
Click
next to an example below to get the full details.Search Relative Time to Query Execution
Writing a query that is executed against a time range relative to when the query is executed
Query
test(@timestamp < (start() + (30*24*60*60*1000)))
Introduction
The start()
can be used in a query that
executes against a time range relative to when the query is
executed.
Step-by-Step
Starting with the source repository events.
- logscale
test(@timestamp < (start() + (30*24*60*60*1000)))
Tests whether the @timestamp for an event is less than the start time of the query. The query start time is returned by the
start()
function. To work out the relative time, we add the explicit number of milliseconds by calculating the number of milliseconds in the specified number of days, in this case, 30. Event Result set.
Summary and Results
The query is a practical way of querying with a relative time from the query execution. The 30 days (and calculation) used in the example could be updated with any time calculation to achieve the required result.