Overview
You can use this menu to select a time period for the data shown in the table. You can select a short time range to narrow down your search or you can use an extended period to analyze long-term patterns like an advanced persistent threat.
You can perform the following actions:
Set a new time interval using the interface
You can set a time interval following the steps described in the picture below. When setting time ranges, it is important to consider different aspects related to the type of time range specified and the method chosen to do it. You can use the interface to set absolute, relative, or snap-to dates:
Absolute: a specific interval with fixed start and end dates to see data from a specific time period.
Relative: a period of time relative to the current date (last 5 minutes, last day, etc.) to see data progression up to the present.
Snap to: a period of time that goes back to the starting point of the selected time frame to see data without unrepresentative data samples resulting from analyzing incomplete periods. For example, if it is 10:53:17 on a Tuesday:
Snap to the day: you will see data beginning at 00:00 on that same Tuesday. Snap to the hour: you will see data beginning at 10:00.Snap to the minute: you will see data beginning at 10:53:00.
Daylight saving time may apply
Be aware that the timezone corresponding to the initial date of the first interval selected in your search is used as a reference point for subsequent time ranges selected in the search.
If you close the search and reopen it, the reference point is recalculated with the initial date of the first time interval selected.
This is especially important to take into account when using timezones that observe daylight saving time.
Set a new time interval using date language expressions
You can also introduce time ranges manually using date language expressions, which gives you more flexibility and precision when searching your data. Simply click on the date field and write the desired time expression or edit the existing one. The field turns red and an explanatory message appears until a valid date is entered. Click Apply when you finish and the expressions will be translated into the corresponding dates.
Invalid expressions
Your from date cannot be after your to date and your to date cannot be in the future.
You can use a mix of both absolute and date language expressions in any given time range (for example, the to date can be relative and the from date absolute, and vice versa). For date language expressions, the current moment "now()" is used as the reference point.
Operators
You can establish absolute dates in the required format:
Operator | Action | Example |
|---|---|---|
yyyy-MM-dd hh:mm:ss | Establishes the specified absolute date | 2021-06-30 15:35:23 |
With date language expressions, use a series of mathematical operations to move away from the current time which is used as the reference point. You can use multiple operators at once and the execution order is from left to right:
Operator | Action | Example |
|---|---|---|
Snap to (@) or |< | Rounds the date to the beginning of a time unit. Note that this operator only works with 1m, 1d, 1h, 1w, 1W, 1M and 1y. | now() @ 1m or now() |< 1m |
Arithmetics (+/-) | Applies an offset to the date (date + offset or date - offset) | now() - 3h |
Replace (^) | Replaces part of the date by a time unit (date ^ time_unit) | now() ^ 6d |
Backward & forward (>>/<<) | Shifts the date to the next/past time unit (date >> time_unit or date << time_unit) | now() << 11M |
Time expressions
Let's suppose the current time (which we refer to as "now()") is Sunday, 05 February 2017, 13:37:05. The table below shows the resulting time when different expressions are applied. Note that this isn't an exhaustive list:
Time expression | Description | Resulting time |
|---|---|---|
now() - 60m | 60 minutes ago | Sunday, 05 February 2017, 12:37:05 |
now() @ 1h | Now (rounded to the beginning of the hour) | Sunday, 05 February 2017, 13:00:00 |
now() - 24h | 24 hours ago | Saturday, 04 February 2017, 13:37:05 |
(now() - 1d) @ 1d | Yesterday (rounded to the beginning of the day) | Saturday, 04 February 2017, 00:00:00 |
(now() - 2d) @ 1d | 2 days ago (rounded to the beginning of the day) | Friday, 03 February 2017, 00:00:00 |
(now() - 2d) @ 1m | 2 days ago (rounded to the beginning of the minute) | Friday, 03 February 2017, 13:37:00 |
((now() - 2d) @ 1d) - 2h | 2 days ago (rounded to the beginning of the day minus 2 hours) | Thursday, 02 February 2017, 22:00:00 |
now() @ 1w | Locale week | Sunday, 05 February 2017, 00:00:00 |
now() @ 1W | ISO week | Monday, 30 January 2017, 00:00:00 |
now() ^ 6d | Replace the day with 6 | Monday, 06 February 2017, 13:37:05 |
now() ^ 2018y3M6d15h30m20s | Replaces the year with 2018 | Tuesday, 06 March 2018, 15:30:20 |
now() >> 2M | Forward to next second month | Monday, 05 February 2018, 13:37:05 |
now() << 2M | Backward to previous second month | Friday, 05 February 2016, 13:37:05 |
now() >> 2M6d15h20m10s | Forward to next second month, sixth day, fifteenth hour, twentieth minute and 10 seconds | Tuesday, 06 February 2018, 15:20:10 |
now() << 1h/1d | Goes back to the first hour of the current day. Minutes and seconds don't change. | Sunday, 05 February 2017, 01:37:05 |
Activate or deactivate real-time data flow
Click the RT icon to suspend or reestablish the flow of real-time data. In some cases of extremely large volumes of data, the real-time data flow will stop automatically and a warning message will be shown above the table. This is done to prevent the browser from crashing.
Determine dpefault real-time settings
Users with the necessary permissions can determine if real-time data flow is active or inactive by default when users run searches. Go to Preferences → Domain Preferences → Global to access this setting. For more information, see Domain preferences.
Apply previously used time intervals
Use the Back button to apply previously selected time intervals in your query.
Additionally, the Time interval history tool allows you to easily apply previously selected time periods in the current or other data tables, to facilitate the analysis of data over time. The results can be used in reports or to create dashboard data sources from different time intervals.
Select the required interval in the Available Time Intervals area. When there are multiple active queries, checkboxes will be available to let you apply the interval to more than one query. The current query is selected by default.
