time_frame_end

Cortex XDR XQL time_frame_end() function returns the timestamp value at the end of the time range configured for the query.

Synopsis

time_frame_end(
<time frame>
)

Description

The
time_frame_end()
function returns the timestamp object for the string representation of the end of the time frame configured for the query in the format MMM dd YYYY HH:mm:ss, such as Jun 8th 2022 15:20:06. You can configure the time frame using the config timeframe function, where the range can be relative or exact.
If the time frame is relative, for example last 24H, the function returns the current_time(). This function is useful when the query uses a custom time frame whose end time is in the past.

Relative Time Example 1

For the last 5 days from when the query is sent, returns a maximum of 100
xdr_data
records with the events of the _time field with a new field called "x". The "x" field lists the final timestamp at the end of 5 days from when the query was sent for the events in descending order. For more information on this relative time frame range, see the config timeframe function.
config timeframe = 5d | dataset = xdr_data | alter x = time_frame_end() | fields x | sort desc x | limit 100

Relative Time Example 2

For the last 5 days from when the query is run until now, returns a maximum of 100
xdr_data
records with the events of the _time field with a new field called "x". The "x" field lists the final timestamp at the end of 5 days from when the query runs for the events in descending order. For more information on this relative time frame range, see the config timeframe function.
config timeframe = between "5d" and "now" | dataset = xdr_data | alter x = time_frame_end() | fields x | sort desc x | limit 100

Recommended For You