Conditionally count logs before and after 1 hour ago

Problem / Use case

You want to compare how many logs occurred in the last hour versus earlier. This helps validate time-based patterns, throttling, or backlogs.

Query

source logs 
| countby if($m.timestamp > now() - 1h, 'last_hour', 'older')

Expected output

Variations

• Swap 1h for 30m, 6h, or 1d to shift the time cutoff.
• Replace timestamp with any timestamp-related field like event_time, created_at, etc.

TL;DR

Use if(timestamp > now() - 1h, ...) inside countby to bucket logs into time-based groups. Perfect for detecting bursts or delays.