Document:Cortex XDR™ XQL Language Reference

timeframe

Search the Table of Contents

copyright
- copyright
Get Started with XQL
Stages Commands Reference
- Alter
- Arrayexpand
- Bin
- Comp
  - avg
  - count
  - count_distinct
  - earliest
  - first
  - last
  - latest
  - list
  - max
  - min
  - sum
  - values
- Config
  - case_sensitive
  - timeframe
- Dedup
- Fields
- Filter
- Join
- Iploc
- Limit
- Replacenull
- Sort
- Target
- Union
- View
XQL Functions Reference
- add
- arrayconcat
- arraycreate
- arraydistinct
- arrayfilter
- arrayindex
- arrayindexof
- array_length
- arraymap
- arraymerge
- arrayrange
- arraystring
- coalesce
- concat
- current_time
- divide
- extract_time
- format_string
- format_timestamp
- floor
- if
- incidr
- incidrlist
- json_extract
- json_extract_array
- json_extract_scalar
- len
- lowercase
- multiply
- object_create
- parse_timestamp
- pow
- regextract
- replace
- replex
- round
- split
- string_count
- subtract
- timestamp_diff
- timestamp_seconds
- to_boolean
- to_float
- to_integer
- to_json_string
- to_number
- to_string
- to_timestamp
- trim
- uppercase

timeframe

Cortex XDR XQL timeframe configuration enables performing searches within a specific time frame from the query execution.

Synopsis

Relative Time

config timeframe = <number><time unit>

Exact Time

config timeframe between "<Year-Month-Day H:M:S ±Timezone>" and "<Year-Month-Day H:M:S ±Timezone>"

Description

The

timeframe

configuration enables you to perform searches within a specific time frame from the query execution. The results for the time frame are based on times listed in the

_Time

column in the results table.

You can add the

timeframe

configuration to your queries using two different formats depending on whether the time frame you are setting is a relative time or an exact time.

When you set a relative time, the

config timeframe

is set to

, where you choose the

<time-unit>

from the available time-unit options listed in the table below.

When you set an exact time, include the

config timeframe

details:

between "<Year-Month-Day H:M:S ±Timezone>" and "<Year-Month-Day H:M:S ±Timezone>"

. The

±Timezone

format is:

±xxxx

. When you do not configure a timezone, the default is

UTC

Available Time Units

Time Unit	Description
S	seconds
M	minutes
H	hours
D	days
W	weeks
MO	months
Y	years

The time unit is not case sensitive.

Examples

Relative Time

For the last 10 hours from when the query runs, return a maximum of 100

xdr_data

records.

config timeframe = 10h 
| dataset = xdr_data 
| limit 100

Exact Time

From April 1, 2021 at 9:00 a.m. UTC -02:00 until April 2, 2021 at 10:00 a.m. UTC -02:00, return a maximum of 100

xdr_data

records.

config timeframe between "2021-04-01 09:00:00 -0200" and "2021-04-02 10:00:00 -0200" 
| dataset = xdr_data 
| limit 100

Document:Cortex XDR™ XQL Language Reference

timeframe

Table of Contents

timeframe

Synopsis

Description

Available Time Units

Examples

Recommended For You

Recommended Videos