I might be over thinking this one, but since I've already used time--> ...| stats earliest(time) as firstseen, latest(time) as lastseen, ... |, is it possible find the "currenttime"?
What I want to do is do something like ..| eval dayssince=(currenttime-last_seen)
Is this possible?
Are you looking for something like this?
...| eval dayssince=(now()-lastseen)
There are two
eval functions for this,
time(). The major distinction is that
now() will be stable over a long-running search while
time() will yield a potentially new timestamp for every event/row/invocation... usually you'll want
now() like this:
... | stats latest(_time) as last_seen | eval days_since = (now() - last_seen) / 86400 | eval duration_since = tostring(now() - last_seen, "duration")
I've included a fancy way of displaying a duration in days, hours, minutes, seconds and subseconds as well - see what you actually want and use that.
This is more towards what I am looking for! Is there a way to measure by day(s)? Here is a screenshot using your answer:
I'd like to be able to show something like "Today", 1 Day, or if greater than 1 , "x Days". Here is what I was thinking using the case function:
| eval dayssincelasttxn=case(dayssincelasttxn=0,"Today",dayssincelasttxn=1,"1 Day",dayssincelasttxn>1, dayssincelast_txn."[".Days."]")
This didn't work for me, but do you have any insight on rounding by number of days?
... | eval days_since = floor((now() - last_seen) / 86400) | eval days_since_pretty = case(days_since == 0, "Today", days_since == 1, "1 Day", days_since > 1, days_since . " Days")
Pipe reltime to original query which created a field reltime to give time difference between now and _time in humar readable form.