Timespan without a sequence

ima · June 18, 2021, 10:11am

hello guys, is there any other way to define a timespan without using sequence in eql rules creation

spong · June 24, 2021, 11:41pm

Hey there @ima!

So you can also use the ES Query DSL to constrain by time.

e.g.

GET /my-data-stream/_eql/search
{
  "filter": {
    "range": {
      "@timestamp": {
        "gte": "now-1d/d",
        "lt": "now/d"
      }
    }
  },
  "query": """
    file where (file.type == "file" and file.name == "cmd.exe")
  """
}

If this isn't exactly what you're looking for, could you provide a little more detail into the type of EQL query you're trying to write?

Cheers!
Garrrett

system · July 22, 2021, 11:41pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Eql with time range Elasticsearch eql-elastic-query-language	1	202	December 10, 2023
EQL: Get only one match (no overlap) Elastic Security eql-elastic-query-language	1	278	October 21, 2022
EQL Search by timestamp Elastic Security eql-elastic-query-language	1	280	October 27, 2021
Aggregate on a sequence item in EQL Elasticsearch	2	347	January 18, 2021
EQL query help SIEM eql-elastic-query-language	1	407	November 15, 2021

Timespan without a sequence

Related topics