Using DataPrime to track time and durations

Goal

By the end of this guide, you should be able to compute durations between timestamps, add or subtract time intervals, and format those durations for display using functions like now, diffTime, addTime, and formatInterval.

Why it matters

Time is one of the most critical dimensions in log analysis. Whether you're debugging latency issues, monitoring job runtimes, or visualizing trends over time, being able to work with time accurately is essential. This guide shows you how to transform raw timestamps into meaningful durations and formatted outputs using DataPrime’s built-in time functions.

Getting the current time with now()

The now() function returns the current time at the moment of query execution. This is useful when you want to compute time elapsed since a log was generated.

source logs
| create query_time from now()
| choose query_time

This adds a new field called query_time, which is a timestamp in nanoseconds. For example:

{
    "query_time": 1728764342873000000
}

Because now() always returns the same value across the entire query, it’s safe to use it multiple times without worrying about inconsistencies in timing.

Time arithmetic

DataPrime supports rich time arithmetic across two native types: timestamp and interval. You can subtract timestamps to get durations, add intervals to shift time, round timestamps into buckets, and more. These operations form the foundation for latency tracking, scheduling, and real-time alerting.

The table below summarizes the supported operations and what type of value they return:

Expression	Description	Result type
timestamp - timestamp	Calculates the duration between two events	interval
timestamp + interval	Shifts a timestamp forward by a time interval	timestamp
timestamp - interval	Shifts a timestamp backward by a time interval	timestamp
timestamp / interval	Rounds down a timestamp into fixed-size time buckets	timestamp
interval + interval	Adds two durations together	interval
interval - interval	Subtracts one duration from another	interval
interval * number	Scales an interval by a numeric factor	interval

Examples

Measure how long something took

source spans
| create latency from endTime - startTime
| choose latency, duration

We can see the duration of the span is exactly the same as endTime - startTime

{
duration:21255
latency:21255
}

Add a 5-minute timeout to a start time

create timeout_at from startTime:timestamp + 5.toInterval('m')

Calculate time remaining in a fixed window

create time_remaining from (startTime:timestamp + 10.toInterval('m')) - now()

Scale a processing estimate based on queue length

source spans 
| create total_estimate from duration.toInterval('s') * 5

Round timestamps into 1-hour buckets

create hour_bucket from $m.timestamp / 1.toInterval('h')

Calculating durations with diffTime

To compute how much time has passed between two timestamps, use the diffTime(to, from) function. The result is an interval, not a raw number. Intervals are first-class types in DataPrime and can be formatted, compared, or manipulated like other values.

source logs
| create time_since_event from diffTime(now(), $m.timestamp)
| choose time_since_event

This creates a field like "time_since_event": 13s353ms795us735ns, indicating how long ago the timestamp occurred.

Keep in mind:

• If to is before from, the result will be negative.
• This makes it useful for tracking delays, timeouts, or late arrivals in real-time systems.

Adding durations to timestamps with addTime

In many workflows, you know the start time and the expected duration of an operation. You can use addTime to compute when something is supposed to end.

source spans
| create expected_end_time from addTime($m.timestamp, duration.toInterval('s'))
| choose expected_end_time

This expression adds a duration (converted to an interval) to a timestamp. The result is a new timestamp representing the end of a process or timeout window.

This is commonly used in:

• Tracking ETL pipeline steps.
• Predicting SLA deadlines.
• Annotating logs with estimated job end times.

Formatting durations with formatInterval

Intervals in DataPrime are powerful but not always easy to read in raw form. Intervals are displayed in human-readable formats, such as such as "300s" or "2m30s". The formatInterval function converts an interval into a uniform unit.

source spans
| create duration_ns from formatInterval(duration:interval , 'ns')
| choose duration_ns

This renders duration_ns strictly as a nanosecond instead of multiple units like "1m2s30ns"

{
duration_ms:1935ns
}
{
duration_ms:6475ns
}
{
duration_ms:12359ns
}

You can control the unit using the optional second argument: 'second', 'minute', 'hour', etc.

This is helpful when displaying results in dashboards or alerts, where clear units matter.

Formatting timestamps with formatTimestamp

To convert a timestamp into a formatted string (such as a date or time), use formatTimestamp. You can choose from common formats or supply a custom one using strftime-style directives.

source logs 
| create readable_time from formatTimestamp(now(), '%F %H:%M:%S')

This would output a string like "2025-07-30 16:43:22".

Other formatting options include:

• '%Y-%m-%d' — for just the date.
• '%H:%M' — for just the hour and minute.
• 'timestamp_milli' — for a 13-digit epoch value.
• 'iso8601' — the default format (e.g., 2025-07-30T16:43:22.123Z).

This is especially useful when joining with third-party systems, generating readable reports, or displaying timestamps in dashboards.

For the full format chart, see: Specifying Timestamp Formats

Common pitfalls or gotchas

• Direction matters in diffTime — if to < from, you’ll get a negative interval.
• Always use .toInterval('s') or similar when your duration field is a number.
• formatInterval does not cascade across units. It shows only the specified unit (e.g., 300s, not 5m0s).
• Double check the output type when doing time-based arithmetic