between
Description
The between keyword specifies a date range on which a query on logs or spans should operate.
The between keyword will work on any time expression, but the result of the expression must be of type timestamp.
Syntax
source (logs|spans) between <time-expression> and <time-expression>
Example 1
The between keyword allows users to scope their query to a specific timerange. The simplest example of this is to use two timestamp literals:
Example query
source spans between @'2024-10-14T00:00:00Z' and @'2024-10-15T00:00:00Z'
Example 2
The between timestamp works well with the $p JSON prefix, which contains the time range in the UI. For example, we have a dashboard that operates over the last 24 hours, but we wish to compare it to the previous 24 hours before that. We can do this, using the between command and some timestamp expressions:
Example query
source logs between $p.timeRange.startTime - 48h and $p.timeRange.endTime - 24h
Example 3
Using the between keyword, we can always compare a given timeframe, with relation to the current time, even if the dashboard query changes. In this query, we will always query data from the past 24 hours, no matter what the time range is set to.
Example query
source logs between @'now' - 24h and @'now'
The @'now' is a timestamp literal for the current time.