Timespan without a sequence

ima · June 18, 2021, 10:11am

hello guys, is there any other way to define a timespan without using sequence in eql rules creation

spong · June 24, 2021, 11:41pm

Hey there @ima!

So you can also use the ES Query DSL to constrain by time.

e.g.

GET /my-data-stream/_eql/search
{
  "filter": {
    "range": {
      "@timestamp": {
        "gte": "now-1d/d",
        "lt": "now/d"
      }
    }
  },
  "query": """
    file where (file.type == "file" and file.name == "cmd.exe")
  """
}

If this isn't exactly what you're looking for, could you provide a little more detail into the type of EQL query you're trying to write?

Cheers!
Garrrett

Topic		Replies	Views
Eql with time range Elasticsearch eql-elastic-query-language	1	281	December 10, 2023
EQL Search by timestamp Elastic Security eql-elastic-query-language	1	322	October 27, 2021
EQL query help SIEM eql-elastic-query-language	1	428	November 15, 2021
ESQL Specifiy time filter Elastic Search esql	4	583	January 10, 2025
Time elapsed between two events with EQL (and then use that in a visualization) Elasticsearch runtime-fields , eql-elastic-query-language	1	567	January 14, 2022

Timespan without a sequence

Related topics