Skip to content

Conditionally Count Logs Before and After 1 Hour Ago

Problem / use case

You want to compare how many logs occurred in the last hour versus earlier. This helps validate time-based patterns, throttling, or backlogs.

Query

source logs 
| countby if(timestamp > now() - 1h, "last_hour", "older")

Expected output

_expr0_count
older256305608
last_hour31830

Note

If your timestamp is stored as a string in ISO 8601 format, cast it to a proper timestamp using timestamp:timestamp before performing time arithmetic.

Variations

  • Swap 1h for 30m, 6h, or 1d to shift the time cutoff.
  • Replace timestamp with any timestamp-related field like event_time, created_at, etc.

TL;DR

Use if(timestamp > now() - 1h, ...) inside countby to bucket logs into time-based groups. Perfect for detecting bursts or delays.

Previous Previous Accessing fields with special characters
Next Count k8s container restarts Next
Home
User Guides User Guides
DataPrime DataPrime
Integrations Integrations
OpenTelemetry OpenTelemetry
Developer Portal Developer Portal