Available:setTimeInterval() v1.171.0
The setTimeInterval() function is
available from v1.171.0
setTimeInterval() can be used to set the
query's time interval and related time settings from within the
query string. When used, the query time specified in the query
string will override the settings from the UI or query API.
For more information about time specification options, see Search API Time Specification.
| Parameter | Type | Required | Default Value | Description |
|---|---|---|---|---|
end | string,time point | optional[a] | now | End time of query. When specified, it overrides the end time from the query API. |
start[b] | string,time point | required | Start time of query. When specified, it overrides the start time from the query API. | |
timezone | string,time zone name | optional[a] | Time zone name. When specified, overrides the timezone set from the query API. For a list of timezone names, see the table “Supported Timezones”. | |
[a] Optional parameters use their default value unless explicitly set. | ||||
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
startcan be omitted; the following forms of this function are equivalent:logscale SyntaxsetTimeInterval(1d)and:
logscale SyntaxsetTimeInterval(start=1d)These examples show basic structure only.
setTimeInterval() Function Operation
Using setTimeInterval() offers several
advantages:
Query users can specify time ranges directly in query strings. The feature enables copying and sharing query strings with other users, who can recreate the search in different views and/or clusters (with different URLs).
Dashboard creators can specify time ranges in query strings. The feature allows setting the static time range for the widgets.
This is a metadata query function that does not process events. It is only used for setting the time interval and related metadata from within the query instead of through the Query Jobs API or the UI.
Using setTimeInterval() affects both the
API and the UI, as follows.
The
startandendparameters of the function override the Query Jobs APIendandstartfields, meaning that a query like this:logscalegroupBy([status_code, ip]with
start=7dandend=1dset inQueryInputJob, is equivalent to query:logscalesetTimeInterval(start=7d, end=1d) | groupBy([status_code, ip]When the Time field selection is set to in the UI, then the query will be submitted to the QueryInputJob with input useIngestTime equal to
true. In this scenario, thestartandendparameters ofsetTimeInterval()will override the ingestStart and ingestEnd API fields.When the Time field selection is set to in the UI, then the query will be submitted to the QueryInputJob with input useIngestTime equal to
false. In this scenario, thestartandendparameters ofsetTimeInterval()will override the start and end API fields.
Using setTimeInterval() also overrides
the time controls in the UI. See
Change Time Interval and
Shared Time Selector for more
information.
Validation Rules/Known Limitations
The setTimeInterval() function requires
specific validation rules for correct usage.
Must appear in the preamble of the query — that is, before any other functions, filters, free-text searches, etc.
Must appear before any
defineTable()definitions.Must appear at most once in a query.
Cannot appear inside
join()/defineTable()subqueries. To set a different time range for the ad-hoc table/join subquery, use thestartandendparameters that are supported in these functions.Same restrictions as the API time interval apply, that is:
In a live query
startmust be relative, andendmust benowIf the user has search limitations (for example, trial users can only search 7 days back), these limitations still apply
setTimeInterval()is only supported in ad-hoc searches and on dashboards. In particular,setTimeInterval()is not supported in:Triggers (aggregate alerts, filter alerts, legacy alerts, scheduled searches)
Filter prefix of a query such as repository filters, user filters, group filters (like any other query functions, which are equally not supported)
setTimeInterval()Examples
Click next to an example below to get the full details.
Set Relative Time Interval From Within Query
Set the relative time interval and related metadata from within the query instead of through the QueryJobs API or UI
Query
setTimeInterval(start=7d, end=1d)Introduction
In this example, the setTimeInterval() function is
used to define a new relative time interval before running an ad-hoc
query.
For more information about time specification options, see Search API Time Specification.
Step-by-Step
Starting with the source repository events.
- logscale
setTimeInterval(start=7d, end=1d)Sets a time interval to start 7 days ago from now and to end 1 day ago from now. As the timezone is not specified, it uses the system's default.
It is possible to explicitly set a timezone instead of using the system's default, in this example, the timezone is explicitly set to
Europe/Copenhagen:setTimeInterval(start="1w@d", end="now@d", timezone="Europe/Copenhagen") Event Result set.
Summary and Results
This query demonstrates how to use
setTimeInterval() to define the timespan from
within the query instead of through the QueryJobs API or UI.
For an example of using absolute time, see Set Specific Time Interval Based on Raw Epoch Timestamps From Within Query.
Set Specific Time Interval Based on Raw Epoch Timestamps From Within Query
Set a specific time interval based on raw epoch timestamps from within the query instead of through the QueryJobs API or UI
Query
setTimeInterval(start=1746054000000, end=1746780124517)
| "#event_simpleName" = ProcessRollup2Introduction
In this example, the setTimeInterval() function is
used to define a new time interval based on the epoch times
1746054000000 and 1746780124517
and return events of the type ProcessRollup2.
For more information about time specification options, see Search API Time Specification.
Example incoming data might look like this:
| timestamp | event_simpleName | ProcessId | CommandLine | ImageFileName | UserName | aid |
|---|---|---|---|---|---|---|
| 1746054100000 | ProcessRollup2 | 4567 | /usr/bin/python3 script.py | /usr/bin/python3 | john.doe | a1b2c3d4e5f6 |
| 1746054200000 | ProcessRollup2 | 4568 | notepad.exe file.txt | C:\Windows\notepad.exe | jane.smith | b2c3d4e5f6g7 |
| 1746054300000 | ProcessRollup2 | 4569 | cmd.exe /c dir | C:\Windows\System32\cmd.exe | admin.user | c3d4e5f6g7h8 |
| 1746054400000 | ImageLoadv2 | 4570 | explorer.exe | C:\Windows\explorer.exe | john.doe | d4e5f6g7h8i9 |
| 1746054500000 | ProcessRollup2 | 4571 | powershell.exe -nologo | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | system | e5f6g7h8i9j0 |
Step-by-Step
Starting with the source repository events.
- logscale
setTimeInterval(start=1746054000000, end=1746780124517)Sets a time interval in raw epoch time to start at
1746054000000and end at1746780124517. The timestamps are in Unix epoch milliseconds.Searches within the specified time period.
- logscale
| "#event_simpleName" = ProcessRollup2Filters for events where the values in the field event_simpleName is of the type ProcessRollup2. The ProcessRollup2 events represent process execution/creation events in CrowdStrike.
Event Result set.
Summary and Results
The query is used to return only ProcessRollup2 events that occurred during a specific timeframe defined in Epochs per millisecond.
This query demonstrates how to use
setTimeInterval() to define the timespan in Epoch
times from within the query instead of through the QueryJobs API or UI.
For an example of using relative time, see Set Relative Time Interval From Within Query.
Sample output from the incoming example data:
| timestamp | event_simpleName | ProcessId | CommandLine | ImageFileName | UserName | aid |
|---|---|---|---|---|---|---|
| 1746054100000 | ProcessRollup2 | 4567 | /usr/bin/python3 script.py | /usr/bin/python3 | john.doe | a1b2c3d4e5f6 |
| 1746054200000 | ProcessRollup2 | 4568 | notepad.exe file.txt | C:\Windows\notepad.exe | jane.smith | b2c3d4e5f6g7 |
| 1746054300000 | ProcessRollup2 | 4569 | cmd.exe /c dir | C:\Windows\System32\cmd.exe | admin.user | c3d4e5f6g7h8 |
| 1746054500000 | ProcessRollup2 | 4571 | powershell.exe -nologo | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | system | e5f6g7h8i9j0 |
The query only returns rows 1, 2, 3, and 5 since row 4 has a different event_simpleName (ImageLoadv2).
Set Time Interval From Within Query with defineTable()
Set the time interval and related metadata from within the query
instead of through the test QueryJobs API or UI using the
defineTable() function
Query
setTimeInterval(start="1h", end="30min")
| defineTable(
start=7d,
end=1d,
query={...},
name="ended_queries")
| match(table="ended_queries", field=queryID, strict=true)Introduction
In this example, the setTimeInterval() function is
used with the defineTable() function to define a
new time interval for the subqueries, before running this.
Note that the setTimeInterval() function must
appear before any defineTable() definitions and
only one time in a query.
For more information about time specification options, see Search API Time Specification.
Step-by-Step
Starting with the source repository events.
- logscale
setTimeInterval(start="1h", end="30min")Recalls the
defineTable()subquery time interval. This means that the subquery will start at7d+30min, and will end at1d+30min. - logscale
| defineTable( start=7d, end=1d, query={...}, name="ended_queries")Generates an ad-hoc table named
ended_queriesand computes the relative time points to the primary query's time end time. This means that the subquery will start at7d+30min, and will end at1d+30min - logscale
| match(table="ended_queries", field=queryID, strict=true)Joins the filtered events where the value equals
queryIDwith the ended_queries table. Event Result set.
Summary and Results
This query demonstrates how to use
setTimeInterval() to define the timespan for a
defined table query.