Document toolboxDocument toolbox

Yesterday (yesterday)

Description

Returns the start time of the previous day considering your current time zone. Optionally, you can add a timezone different than your current one. In this case, you will get the time that your time zone presented when the previous day started in the specified time zone.

Real-time queries

This operation is calculated when the query is executed and the result remains the same as time passes unless the query is re-launched for whatever reason (query error, server restart, etc.).

How does it work in the search window?

Select Create field in the search window toolbar, then select the Yesterday operation.

This operation can be applied with no arguments. In this case, you will get the start time of the previous day considering your current time zone. If you add the Time zone argument, you can specify a timezone different than your current one to see the time your time zone presented when the previous day started in the specified time zone. When assigning a time zone different to yours, pay special attention to the original timestamp of the event, as the result may imply a day shift in the time zone specified. 

Argument

Data type

Description

Argument

Data type

Description

Time zone mandatory

string

You need a valid string format the app can recognize so it returns meaningful results. If you leave the field empty or introduce a value the app cannot recognize, the default Time Zone is UTC. You can use one of the following methods:

  1. A time zone code→ UTC, PST, CST, etc. Check the full list here.

  2. The time zone database name → America/Los_Angeles, Europe/Amsterdam, Asia/Tokyo, etc. For the full list, see here.

  3. The full name of the time zone →  Universal Time Coordinated, Pacific Standard Time, Central Standard Time, etc. Check the full list here.

  4. The name of the region as it appears in Devo → Asia/Shanghai, Europe/Athens, America/New York, etc. You can check the time zone codes and region names in the Configure Timezone window in Devo.

Be aware that some of the codes coincide, as CST could mean Central Standard Time or China Standard Time. In that case, it would be advisable to avoid using codes and introduce any of the other formats mentioned.

The data type of the new field values is timestamp.

Be aware that in some time zones they set the clock forward during summer and thus the results will be altered. For example, Europe/Madrid (CET-Central European Time), which is UTC+1, becomes UTC+2 during summertime. Performing this operation during summer with that time zone selected as your own or using it as an argument will affect the results. Be also aware that summertime differs between the Northern and Southern Hemispheres.

Example

In the siem.logtrust.web.activity table, we want to create a field showing the start time of the previous day (today is April 24th) taking as reference the EEST (Eastern European Summer Time, UTC+3) and considering we are in CEST (Central European Summer Time, UTC+2). To do this, we will create a new field using the Yesterday operation.

The arguments needed to create the new field are:

  • Time zone - EEST

Click Create field and you will see the following result:

  • The new field shows that when the previous day (April 22nd) started in EEST (UTC+2), it was 23 hours of April 24th in CET (UTC+1).

How does it work in LINQ?

Use the operator select... as...  and add the operation syntax to create the new field. These are the valid formats for the Yesterday operation:

  • yesterday() → Use this expression to get the start time of the previous day, according to your current time zone.

  • yesterday(timezone_string) →  Use this expression to get the start time of the previous day, according to the specified time zone.

Example

You can copy the following LINQ script and try the above example on the siem.logtrust.web.activity table.

from siem.logtrust.web.activity select yesterday("EEST") as yesterday_start_EEST