addinfo
Description
Adds fields to each record containing general search information: the start and end time boundaries of the search, the start time of the execution, and its ID.
Syntax
| addinfo
| Field | Description |
|---|---|
info_min_time | The start time boundary of the search. |
info_max_time | The end time boundary of the search. |
info_search_time | The start time of the search. |
info_sid | The search ID. |
Using the Command in Job Scheduler Queries
The info_max_time and info_min_time fields returned by the addinfo command are interpreted differently depending on the context:
Standard Query: Returns absolute timestamps (UTC), indicating the actual time boundaries of the search query.
info_max_time 2025-09-08T14:13:41Z
info_min_time 2025-09-07T14:13:41Z
info_search_time 2025-09-08T14:13:41.439Z
Query in Job Scheduler: The fields contain relative time expressions.
info_max_time now
info_min_time now-15m
info_search_time 2025-09-08 17:08:02 +03:00
Examples
Example 1
In the minimal version, the command adds service fields info_min_time, info_max_time, info_search_time and info_sid to each event.
source server_warnings
| addinfo
Example 2
In this example, the service time fields are immediately renamed to shorter field names start and end.
source server_warnings
| addinfo
| rename info_min_time as start, info_max_time as end
Example 3
In this example, values from info_min_time and info_max_time are copied to new fields through eval.
source server_warnings
| addinfo
| eval start = info_min_time, end = info_max_time