NQL time_elapsed()

The time_elapsed() function calculates the time elapsed since an event. The function returns the values in seconds.

Use this function with a field of datetime data type, for example:

the last_seen field from the devices table
time from the device_performance.boots table

The timeframe specified in your query does not restrict the values returned by the time_elapsed() function. For example, the following query retrieves only devices active in the past day, but the values returned by time_elapsed() may extend beyond that timeframe.

Using with the ‘where’ clause

Use the time_elapsed() function in a where clause.

Example:

Retrieve the list of devices where the last operating system update was more than 15 days ago.

devices
| where operating_system.last_update.time_elapsed() > 15d

Using with the ‘list’ clause

Use the time_elapsed() function in a list clause.

Example:

List devices and the time elapsed from their last startup.

devices
| include device_performance.boots
| where type == fast_startup
| compute last_fast_startup_time = time.last()
| list name, last_fast_startup_time.time_elapsed()

Name

Last fast startup time → time elapsed

device-10d267d2

1w 0d 1h 8min 22s 0ms

device-d1d5abc9

17h 38min 22s 0ms

device-5117c4c3

3w 1d 10h 33min 8s 0ms

device-16834449

57min 18s 0ms

…

Using with the ‘compute’ clause

Use the time_elapsed() function in a compute clause.

Example:

List devices and the time elapsed from their last startup. Applying chaining of functions (call multiple functions on the same field).

devices
| include device_performance.boots
| where type == fast_startup
| compute time_since_last_fast_startup = time.last().time_elapsed()

Last updated 5 months ago

Was this helpful?