addinfo
Here's the translation of the text into English with all formatting preserved:
Description
Adds fields to each record containing general search information: the start and end time boundaries of the search, the start time of the execution, and its ID.
Syntax
| addinfo
| Field | Description |
|---|---|
info_min_time | The start time boundary of the search. |
info_max_time | The end time boundary of the search. |
info_search_time | The start time of the search. |
info_sid | The search ID. |
Using the Command in Task Scheduler Queries
The info_max_time and info_min_time fields returned by the addinfo command are interpreted differently depending on the context:
Standard Query: Returns absolute timestamps (UTC), indicating the actual time boundaries of the search query.
Example
info_max_time 2025-09-08T14:13:41Z
info_min_time 2025-09-07T14:13:41Z
info_search_time 2025-09-08T14:13:41.439Z
Query in Task Scheduler: The fields contain relative time expressions.
Example
info_max_time now
info_min_time now-15m
info_search_time 2025-09-08 17:08:02 +03:00
Query Examples
Example #1
source server_warnings
| addinfo
Example #2
source server_warnings
| addinfo
| rename info_min_time as start, info_max_time as end
Example #3
source server_warnings
| addinfo
| eval start = info_min_time, end = info_max_time