Document toolboxDocument toolbox

Period (period)

Owned by Juan Tomás Alonso Nieto (Deactivated)
Last updated: May 16, 2023 by Borja Moro Moreno
3 min read
[ 1 Description ] [ 2 How does it work in the search window? ] [ 3 How does it work in LINQ? ]

Description

Adjust a series of timestamps to make them coincide with a specific duration period and taking into account the UTC value of the timestamp. This means that timestamps will be adjusted so they correspond to the beginning of the time period to which they belong. These periods will be determined by the duration specified in the arguments.

How does it work in the search window?

Select Create field in the search window toolbar, then select the Period operation.

This operation needs two arguments: The Date to transform into periods and the Duration of them.

Argument

Data type

Description

Argument

Data type

Description

Date mandatory

timestamp

You can either select a field with that data type or introduce it manually.

In case you want to introduce it, note that this value should be a date: Year-Month_Day Hour:Minute:Second.Millisecond (yyyy-MM-dd HH:mm:ss.SSS) → You can skip seconds and milliseconds.

Duration mandatory

duration / integer

Duration: an integer number plus d for days, h for hours, m for minutes, s for seconds

Integer: an integer number to represent milliseconds.

The data type of the new field values will be timestamp and the values shown will be an adjustment of the original values to make them coincide with the duration period specified in the arguments. This way they correspond to the beginning of the period to which they belong. For example, 27 minutes will be 15 if the duration specified in the arguments is 15 minutes (15m), 20 if the duration is 10 minutes (10m) or 0 is the duration is (30m).

Example

In the siem.logtrust.web.activity table, we want to adjust the dates in our eventdate field to periods of 15 seconds.

The arguments needed to create the new field are:

  • Date - eventdate field

  • Duration - Click the pencil icon and enter 15s

Click Create field and you will see the following result:

  • 44 belongs to the third period of 15 seconds and it is thus shown as 30, the starting point of the third period.

  • 45 belongs to the fourth period of 15 seconds and it is thus shown as 45, the starting point of the fourth period.

  • 46 belongs to the second period of 15 seconds and it is thus shown as 45, the starting point of the fourth period.

How does it work in LINQ?

Use the operator select... as...  and add the operation syntax to create the new field. These are the valid formats for the Period operation:

  • period(timestamp, duration)

  • period(timestamp, integer)

Example

You can copy the following LINQ scripts and try the previous examples on the siem.logtrust.web.activity table.

from siem.logtrust.web.activity select period(eventdate, 15s) as eventdate_period
from siem.logtrust.web.activity select period(eventdate, 3h) as eventdate_period