V1 - Utility Functions - time-related functions
All the time-related functions below require timestamp=f("@timestamp") at first.
strftime
Return the assigned format of timestamp.
- strftime(format, timestamp, \<timezone>)
\<timezone> is optional: "America/New_York", "GMT", "UTC", empty timezone means UTC.
timebucket
Divide the timestamp into assigned number of slots or length of the time.
- timebucket("auto", timestamp): divide the search range into 40 slots
- timebucket("1h", timestamp): 1 hour time slot
- timebucket(100, timestamp): divide into 100 slots
timenow
Return the current epoch time in minisecond.
- timenow()
timerelative
Calcuate the timestmap from a relative time text.
- timerelative($timestamp,"relative_time")
Example
An example which contains all the time-related functions above is given:
search {from="-8d@d", to="@d"}
let timestamp=f("@timestamp")
let Type=condition(timestamp>=timerelative(timenow(),"-1d@d"),"Yesterday","LastWeek")
timechart {span="1h"} count() by Type
let Hour=strftime("%H:%M",timebucket("1h", timestamp))
aggregate YesterdayCount=max(Yesterday), AvgCount=avg(LastWeek) by Hour
In this example, timerelative is used to determine if a timestep belongs to "Yesterday"(timenow() is later than "-1d@d") or "LastWeek"(timenow() is earlier than "-1d@d").
Then, timebucket is used for dividing the timestamp into units with length of 1h, and the timestamp is coverted to a format of "%H:%M" for presentation by strftime. It should be mentioned that, for this sentence let Hour=strftime("%H:%M",timebucket("1h", timestamp)), the timebucket is not absoluely neccessary since we have already assigned the format of "%H:%M" by strftime.
