Solved

How do I set time range in LQL?

  • 27 July 2023
  • 1 reply
  • 57 views
J
Badge

Details...

icon

Best answer by danielburn5 29 August 2023, 12:56

View original

1 reply

danielburn5

I’m not sure if you are wanting to set a time range when executing an LQL query (to restrict the time frame in which the query is executed) or use time ranges within a query itself so I will try to cover both.

 

Using Time Ranges within LQL Queries

Working with time ranges within a query is made easier by some of the native LQL functions, which are documented here.

For example, you could get the current time as an epoch millisecond timestamp using the current_timestamp_ms() function. If you wanted to validate something against a date range, you could combine functions and do something like this:

diff_days(RESOURCE_CONFIG:time_created::Timestamp, ms_to_timestamp(current_timestamp_ms())) > 90

The above example is:

  • Determining whether the number of days between two timestamps is greater than 90 days.
  • It casts RESOURCE_CONFIG:time_created to a Timestamp to satisfy the diff_days function where RESOURCE_CONFIG:time_created is an example attribute that you might find within a record from your Lacework data source.
  • It gets the current time as a Timestamp type, using the current_timestamp_ms() function and converting the return with ms_to_timestamp()

 

Specifying the Time Frame for Query Execution

 

API

If using the API to run a query you can pass in an RFC 3339 using the StartTimeRange and EndTimeRange parameters: 

  • An valid time stamp might look like this: 
    • 2023-07-19T00:00:00.000Z.
  • A useful regex to validate a timestamp formatting is:
    • ^((?:(\d{4}-\d{2}-\d{2})T(\d{2}:\d{2}:\d{2}(?:\.\d+)?))(Z|[\+-]\d{2}:\d{2})?)$

An example API call utilising these parameters in a call to the query execute endpoint using curl might look like this:

 

curl --location 'https://examplecustomer.lacework.net/api/v2/Queries/MyExampleQuery/execute' \

--header 'Content-Type: application/json' \

--header 'Authorization: Bearer 11111111' \

--data '{

    "arguments": [

        {"name": "StartTimeRange", "value": "2023-07-18T00:00:00.000Z"},

        {"name": "EndTimeRange", "value": "2023-07-19T00:00:00.000Z"}

    ]

}'

 

CLI

If using the CLI (which I prefer, personally), it adds some handy relative time specifiers to make things easier. It’s well documented here but to give an example, you could specify a time range of the last 12 hours for your query execution by simply passing --start -12h to your command. 

For example:

lacework query run my-awesome-query --start -12h

Reply


Terms of UseCookie settings