Search Relative Time to Query Execution
Writing a query that is executed against a time range relative to when the query is executed
Query
test(@timestamp < (start() + (30*24*60*60*1000)))
Introduction
The start()
can be used in a query that
executes against a time range relative to when the query is
executed.
Step-by-Step
Starting with the source repository events.
- flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0[(Filter Function)] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ffbf00; style 0 fill:#ff0000,stroke-width:4px,stroke:#000;logscale
test(@timestamp < (start() + (30*24*60*60*1000)))
Tests whether the @timestamp for an event is less than the start time of the query. The query start time is returned by the
start()
function. To work out the relative time, we add the explicit number of milliseconds by calculating the number of milliseconds in the specified number of days, in this case, 30. Event Result set.
Summary and Results
The query is a practical way of querying with a relative time from the query execution. The 30 days (and calculation) used in the example could be updated with any time calculation to achieve the required result.