ago()
Subtracts time (years, months, weeks, days, hours, minutes, and seconds) from the current date time.
Syntax
ago("NUM{y|mon|w|d|h|m|s}")
Required Parameter
NUM{y|mon|w|d|h|m|s}
- Time in units of
y
(year),mon
(month),w
(week),d
(day),h
(hour),m
(minute), ands
(second).
Usage
This is an example based on 2019-04-26 14:31:21.
json "{}" | eval adjusted_time=ago("3d") => 2019-04-23 14:31:21
json "{}" | eval adjusted_time=ago("5m") => 2019-04-26 14:26:21
json "{}" | eval adjusted_time=ago("13h") => 2019-04-26 01:31:21
json "{}" | eval adjusted_time=ago("1y") => 2018-04-26 14:31:21