Timeslice Join Results

When you gather data using a join operator, you can slice data by time period using the timeslice operator.

Syntax

The timeslice operator uses the metadata field _messagetime to organize the logs by slices. In your query, you need to specify the timeslice operator before the join, because the _messagetime field will no longer exist after the join is performed.

When you add the timeslice before the join, each of the tables created by the join will include a _timeslice field.

You can reference the table's _timeslice field to use in your group by operation. The name of the table is appended to the table's fields.

Examples

Join stream events by timeslice

If your table is named errors, your field would be errors__timeslice. (Notice that the name contains two underscores.)

*
| timeslice 1h
| join
(parse "starting stream from * " AS streamId) AS table1,
(parse "starting search from parent stream * " AS streamId) AS table2
on table1.streamId = table2.streamId
| count table1_streamId, table1__timeslice
| formatDate(fromMillis(table1__timeslice ), "MM/dd/yyyy HH:mm:ss z") as timeslice

_sourceCategory=auth
| timeslice 15m
| join
(parse "user=* logged in" as user) as logins,
(parse "user=* logged out" as user) as logouts
on logins.user = logouts.user
| count logins_user, logins__timeslice

Syntax​

Examples​

Join stream events by timeslice​

Join login and logout events by 15-minute intervals​

Syntax

Examples

Join stream events by timeslice

Join login and logout events by 15-minute intervals