Set Specific Time Interval Based on Raw Epoch Timestamps From Within Query

Set a specific time interval based on raw epoch timestamps from within the query instead of through the QueryJobs API or UI

Query

flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0>Preamble] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result
logscale
setTimeInterval(start=1746054000000, end=1746780124517)
| "#event_simpleName" = ProcessRollup2

Introduction

The setTimeInterval() function can be used to set the time interval and related metadata from within the query instead of through the QueryJobs API or UI. The time settings of the setTimeInterval() function will overwrite whatever was specified in the QueryJobs API or UI. setTimeInterval() must appear in the preamble of the query, before any other functions, filters, free-text searches, etc.

In this example, the setTimeInterval() function is used to define a new time interval based on the epoch times 1746054000000 and 1746780124517 and return events of the type ProcessRollup2.

For more information about time specification options, see Search API Time Specification.

Example incoming data might look like this:

timestampevent_simpleNameProcessIdCommandLineImageFileNameUserNameaid
1746054100000ProcessRollup24567/usr/bin/python3 script.py/usr/bin/python3john.doea1b2c3d4e5f6
1746054200000ProcessRollup24568notepad.exe file.txtC:\Windows\notepad.exejane.smithb2c3d4e5f6g7
1746054300000ProcessRollup24569cmd.exe /c dirC:\Windows\System32\cmd.exeadmin.userc3d4e5f6g7h8
1746054400000ImageLoadv24570explorer.exeC:\Windows\explorer.exejohn.doed4e5f6g7h8i9
1746054500000ProcessRollup24571powershell.exe -nologoC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesysteme5f6g7h8i9j0

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0>Preamble] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    setTimeInterval(start=1746054000000, end=1746780124517)

    Sets a time interval in raw epoch time to start at 1746054000000 and end at 1746780124517. The timestamps are in Unix epoch milliseconds.

    Searches within the specified time period.

  3. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0>Preamble] 1[/Filter/] result{{Result Set}} repo --> 0 0 --> 1 1 --> result style 1 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    | "#event_simpleName" = ProcessRollup2

    Filters for events where the values in the field event_simpleName is of the type ProcessRollup2. The ProcessRollup2 events represent process execution/creation events in CrowdStrike.

  4. Event Result set.

Summary and Results

The query is used to return only ProcessRollup2 events that occurred during a specific timeframe defined in Epochs per millisecond.

This query demonstrates how to use setTimeInterval() to define the timespand in Epoch times from within the query instead of through the QueryJobs API or UI.

For an example of using relative time, see Set Relative Time Interval From Within Query.

Sample output from the incoming example data:

timestampevent_simpleNameProcessIdCommandLineImageFileNameUserNameaid
1746054100000ProcessRollup24567/usr/bin/python3 script.py/usr/bin/python3john.doea1b2c3d4e5f6
1746054200000ProcessRollup24568notepad.exe file.txtC:\Windows\notepad.exejane.smithb2c3d4e5f6g7
1746054300000ProcessRollup24569cmd.exe /c dirC:\Windows\System32\cmd.exeadmin.userc3d4e5f6g7h8
1746054500000ProcessRollup24571powershell.exe -nologoC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exesysteme5f6g7h8i9j0

The query only returns rows 1, 2, 3, and 5 since row 4 has a different event_simpleName (ImageLoadv2).