NQL time_elapsed()

The time_elapsed() function calculates the time elapsed since an event. The function returns the values in seconds.

Use this function with a field of datetime data type, for example:

the last_seen field from the devices table
time from the device_performance.boots table

Using with the ‘where’ clause

Use the time_elapsed() function in a where clause.

Example:

Retrieve the list of devices where the last operating system update was more than 15 days ago.

devices
| where operating_system.last_update.time_elapsed() > 15d

Using with the ‘list’ clause

Use the time_elapsed() function in a list clause.

Example:

List devices and the time elapsed from their last startup.

devices
| include device_performance.boots
| where type == fast_startup
| compute last_fast_startup_time = time.last()
| list name, last_fast_startup_time.time_elapsed()

Name

Last fast startup time → time elapsed

device-10d267d2

1w 0d 1h 8min 22s 0ms

device-d1d5abc9

17h 38min 22s 0ms

device-5117c4c3

3w 1d 10h 33min 8s 0ms

device-16834449

57min 18s 0ms

…

Using with the ‘compute’ clause

Use the time_elapsed() function in a compute clause.

Example:

List devices and the time elapsed from their last startup. Applying chaining of functions (call multiple functions on the same field).

devices
| include device_performance.boots
| where type == fast_startup
| compute time_since_last_fast_startup = time.last().time_elapsed()

Last updated 1 year ago

Was this helpful?

hashtagUsing with the ‘where’ clause

hashtagUsing with the ‘list’ clause

hashtagUsing with the ‘compute’ clause

Using with the ‘where’ clause

Using with the ‘list’ clause

Using with the ‘compute’ clause