2

How do I get the timestamp of the last known sample of a metric? I want to display a table that lists when was the last time a specific service was running before it disappeared (died or whatever). The user could be looking at the table in a dashboard set with time window of say Last hour and I still want to get this timestamp displayed even if the service died 5 days ago. For the metric, I could perhaps use something like process_start_time_seconds or up, but it could be I guess any process metric as long as I get the timestamp. For example here, the last time the service existed was around 11/23. I want the table to have a column Last Seen and display that timestamp. There could be other rows in the table for other services.

enter image description here

Improve this question

1 Answer 1

Reset to default
5

It is possible with combination of max_over_time() and timestamp() functions, though it can pull quite a lot of historical data so be careful.

max_over_time( 
  timestamp(
    my_metric{my_label="somevalue"}
  )[30d:5m] # this means "repeat for each 5 minutes in 30 days range"
)

How it works:

  1. timestamp() function returns the timestamp of a metric, instead of value.
  2. [30d:5m] notation (this is called a subquery) makes a range of values out of previous statement.
  3. max_over_time(), obviously, takes the maximum value out of a vector, which in case of a timestamp is like "last seen".

How long it will work (if at all) after a metric disappearance is determined by the subquery notation. If a metric disappeared before the 30d interval - you won't see it. If a metric was a short-lived one and you set a step larger than 5m, you might also miss it. 5m step should be the minimum to catch all metrics, but it can pull a lot of data out of a large range so you might want to tweak these two.

Improve this answer
3
  • Thanks, that seems to work, however when I used your example [30d:5m] looking back 30 days, it took almost 10 seconds, and after a couple of panel refreshes, Grafana crashed somehow. I changed it to [7d:] and it worked better. Actually, I'm not sure what does it mean when I made it [7d:] without specifying the second parameter.
    – sOltan
    Commented Dec 21, 2023 at 0:22
  • Also, my metric was reporting several series, so I changed the query to use a max(). max_over_time(timestamp(max(up{pod=~"cilium-.*"}))[7d:])
    – sOltan
    Commented Dec 21, 2023 at 0:24
  • @sOltan That's why I said "be careful". Also, [7d:] without the second parameter uses the default scrape interval, if I'm not mistaken. And that is often 30s or 60s, depends on the configuration.
    – anemyte
    Commented Dec 21, 2023 at 6:08

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Not the answer you're looking for? Browse other questions tagged or ask your own question.