...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
Table of Contents | ||||||
---|---|---|---|---|---|---|
|
Overview
You can use this menu to select a time period for the data shown on in the table. You can select a short time range to narrow down your search or you can use an extended period to analyze long-term patterns like an advanced persistent threat. You can perform the following actions:
Set a new time interval using the interface
You can set a time interval following the steps described in the picture below. When setting time ranges, it is important to consider different aspects related to the type of time range specified and the method chosen to do it. You can use the interface to set absolute, relative, or snap-to dates:
...
Info |
---|
Daylight saving time may apply Be aware that the timezone corresponding to the initial date of the first interval selected in your search is used as a reference point for subsequent time ranges selected in the search. This is especially important to take into account when using timezones that observe daylight saving time. |
Set a new time interval using date language expressions
You can also introduce time ranges manually using date language expressions, which gives you more flexibility and precision when searching your data. Simply click on the date field and write the desired time expression or edit the existing one. The field turns red and an explanatory message appears until a valid date is entered. Click Apply when you finish and the expressions will be translated into the corresponding dates.
Note |
---|
Invalid expressions Your from date cannot be after your to date and your to date cannot be in the future. You can use a mix of both absolute and date language expressions in any given time range (for example, the to date can be relative and the from date absolute, and vice versa). For date language expressions, the current moment "now()" is used as the reference point. |
Operators
For operators, you can establish absolute dates in the required format:
...
Time expression | Description | Resulting time |
---|---|---|
now() - 60m | 60 minutes ago | Sunday, 05 February 2017, 12:37:05 |
now() @ 1h | Now (rounded to the beginning of the hour) | Sunday, 05 February 2017, 13:00:00 |
now() - 24h | 24 hours ago | Saturday, 04 February 2017, 13:37:05 |
(now() - 1d) @ 1d | Yesterday (rounded to the beginning of the day) | Saturday, 04 February 2017, 00:00:00 |
(now() - 2d) @ 1d | 2 days ago (rounded to the beginning of the day) | Friday, 03 February 2017, 00:00:00 |
(now() - 2d) @ 1m | 2 days ago (rounded to the beginning of the minute) | Friday, 03 February 2017, 13:37:00 |
((now() - 2d) @ 1d) - 2h | 2 days ago (rounded to the beginning of the day minus 2 hours) | Thursday, 02 February 2017, 22:00:00 |
now() @ 1w | Locale week | Sunday, 05 February 2017, 00:00:00 |
now() @ 1W | ISO week | Monday, 30 January 2017, 00:00:00 |
now() ^ 6d | Replace the day with 6 | Monday, 06 February 2017, 13:37:05 |
now() ^ 2018y3M6d15h30m20s | Replaces the year with 2018 | Tuesday, 06 March 2018, 15:30:20 |
now() >> 2M | Forward to next second month | Monday, 05 February 2018, 13:37:05 |
now() << 2M | Backward to previous second month | Friday, 05 February 2016, 13:37:05 |
now() >> 2M6d15h20m10s | Forward to next second month, sixth day, fifteenth hour, twentieth minute and 10 seconds | Tuesday, 06 February 2018, 15:20:10 |
now() << 1h/1d | Goes back to the first hour of the current day. Minutes and seconds don't change. | Sunday, 05 February 2017, 01:37:05 |
Activate or deactivate real-time data flow
Click the RT icon to suspend or reestablish the flow of real-time data. In some cases of extremely large volumes of data, real-time data flow will stop automatically and a warning message will be shown above the table. This is done to prevent the browser from crashing.
Info |
---|
Determine dpefault real-time settings Users with the necessary permissions can determine if real-time data flow is active or inactive by default when users run searches. Go to Preferences → Domain Preferences → Global to access this setting. For more information, see Domain preferences. |
Apply previously used time intervals
Use the Back button to apply previously selected time intervals in your query.
...