Temporal correlation is Zeal’s standout feature. It lets you find log entries that occurred close in time to other entries — without joining files, writing scripts, or manually scanning timestamps.
A common scenario: you see a burst of errors in production, but the root cause was a warning logged 3 seconds earlier. A plain WHERE level = "error" query won’t surface that connection. WITHIN...OF does.
Syntax
WHERE <condition> WITHIN <duration> OF <anchor>
- condition — the expression the returned entry must satisfy
- duration — how far apart the two events can be (in either direction)
- anchor — the expression the reference event must satisfy
Zeal scans all entries for events matching anchor, collects their timestamps, then returns only the entries matching condition that fall within ±duration of any anchor event.
Duration units
| Unit | Meaning | Example |
|---|
ms | Milliseconds | 500ms |
s | Seconds | 5s |
m | Minutes | 1m |
h | Hours | 2h |
d | Days | 1d |
Examples
# Errors within 5 seconds of a warning
zeal 'FROM app.json WHERE level = "error" WITHIN 5s OF level = "warn"'
# Timeouts after a deployment
zeal 'FROM app.json WHERE message CONTAINS "timeout" WITHIN 1m OF message CONTAINS "deployed"'
# DB errors near high latency
zeal 'FROM app.json WHERE message CONTAINS "db error" WITHIN 2s OF latency_ms >= 1000'
n is the number of condition matches and m is the number of anchor events.
Temporal correlation requires log entries to have a parseable timestamp field. Zeal recognises timestamp, ts, time, t, @timestamp, datetime, and date automatically. Entries without a timestamp are excluded from temporal matching.
2024-01-15T10:30:00Z
2024-01-15T10:30:00.123Z
2024-01-15 10:30:00
2024-01-15T10:30:00+05:30
Combining with GROUP BY
Pair WITHIN...OF with GROUP BY to see which request IDs, services, or users were affected when errors followed warnings.zeal 'FROM app.json WHERE level = "error" WITHIN 5s OF level = "warn" GROUP BY request_id'
