# Conditionally count logs before and after 1 hour ago

## Problem / Use case

You want to compare how many logs occurred in the last hour versus earlier. This helps validate time-based patterns, throttling, or backlogs.

## Query

```dataprime
source logs 
| countby if($m.timestamp > now() - 1h, 'last_hour', 'older')
```

## Expected output

| \_expr0   | \_count   |
| --------- | --------- |
| older     | 256305608 |
| last_hour | 31830     |

Note

If your timestamp is stored as a string in ISO 8601 format, cast it to a proper timestamp using timestamp:timestamp before performing time arithmetic.

## Variations

- Swap `1h` for `30m`, `6h`, or `1d` to shift the time cutoff.
- Replace `timestamp` with any timestamp-related field like `event_time`, `created_at`, etc.

## TL;DR

Use `if(timestamp > now() - 1h, ...)` inside `countby` to bucket logs into time-based groups. Perfect for detecting bursts or delays.