Cortex XDR XQL timeframe configuration enables performing
searches within a specific time frame from the query execution.
Synopsis
Relative Time
config timeframe = <
number
><
time unit
>
Exact Time
config timeframe between "<
Year-Month-Day H:M:S ±Timezone
>" and "<
Year-Month-Day H:M:S ±Timezone
>"
Description
The
timeframe
configuration
enables you to perform searches within a specific time frame from
the query execution. The results for the time frame are based on
times listed in the
_Time
column in
the results table.
You can add the
timeframe
configuration
to your queries using two different formats depending on whether
the time frame you are setting is a relative time or an exact time.
When
you set a relative time, the
config timeframe
is
set to
<number><time-unit>
, where
you choose the
<time-unit>
from the available time-unit options listed in the table below.
When you set an exact time, include the
config timeframe
details:
between "<Year-Month-Day H:M:S ±Timezone>" and "<Year-Month-Day H:M:S ±Timezone>"
.
The
±Timezone
format is:
±xxxx
.
When you do not configure a timezone, the default is
UTC
.
Available Time Units
Time Unit
Description
S
seconds
M
minutes
H
hours
D
days
W
weeks
MO
months
Y
years
The time unit is not case sensitive.
Examples
Relative Time
For the last 10 hours from when the query runs, return a maximum of 100
