Search Relative Time to Query Execution

Writing a query that is executed against a time range relative to when the query is executed

Query

logscale
test(@timestamp < (start() + (30*24*60*60*1000)))

Introduction

The start() can be used in a query that executes against a time range relative to when the query is executed.

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    test(@timestamp < (start() + (30*24*60*60*1000)))

    Tests whether the @timestamp for an event is less than the start time of the query. The query start time is returned by the start() function. To work out the relative time, we add the explicit number of milliseconds by calculating the number of milliseconds in the specified number of days, in this case, 30.

  3. Event Result set.

Summary and Results

The query is a practical way of querying with a relative time from the query execution. The 30 days (and calculation) used in the example could be updated with any time calculation to achieve the required result.