https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598890#M7237 <P>I have tried you query, and in my case it also showed incorrect numbers.</P> <P>I have added the timeshift and my timezone and it worked well:</P> <P>&nbsp;</P> <P>config timeframe = 30d<BR />| dataset = incidents <BR />| sort desc creation_time<BR />| bin creation_time span = 1D timeshift = 1615353499 timezone = "-3:00"<BR />| comp count(creation_time ) as incidents_by_day by creation_time</P> <P>&nbsp;</P> <P>Take a look at this <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Bin" target="_self">documentation</A> statement: <EM>"The query still runs without defining the epoch time or time zone. If no&nbsp;<CODE class="code hljs language-ini"><SPAN class="hljs-attr">timeshift</SPAN>&nbsp;= &lt;epoch time&gt; timezone =&nbsp;<SPAN class="hljs-string">"&lt;time zone&gt;"</SPAN></CODE>&nbsp;is set, the query runs according to last time set in the log."</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 26 Sep 2024 17:58:55 GMT jmazzeo 2024-09-26T17:58:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598851#M7227 <P>Hi everyone</P> <P>&nbsp;</P> <P>I try to count some events per day and used the bin stage to do this. It does work to group the events together but the time is wrong. For example an event at 00:30 will count for the day before (probably because of the timezone). I tried different configurations with the optional parameter timeshift and timezone but I'm not able to get it working.</P> <P>&nbsp;</P> <P>Does anyone know how set the timeshift and timezone parameter correct so the event are grouped together correctly?</P> Thu, 26 Sep 2024 12:37:01 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598851#M7227 micomi 2024-09-26T12:37:01Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598873#M7232 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41187">@micomi</a>, thanks for reaching us using the Live Community.</P> <P>&nbsp;</P> <P>Can you share an example of the XQL query? Please obfuscate any sensitive content.</P> Thu, 26 Sep 2024 15:38:46 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598873#M7232 jmazzeo 2024-09-26T15:38:46Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598879#M7234 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/310428">@jmazzeo</a>&nbsp;</P> <P>&nbsp;</P> <P>Sure, this is a simple query to show the incident per day.</P> <P>&nbsp;</P> <PRE>config timeframe = 30d<BR />| dataset = incidents <BR />| sort desc creation_time<BR />| bin creation_time span = 1D<BR />| comp count(creation_time ) as incidents_by_day by creation_time </PRE> <P>With this i get these results:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="micomi_0-1727368567609.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62422i3766CF6A887F32D8/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="micomi_0-1727368567609.png" alt="micomi_0-1727368567609.png" /></span></P> <P>The issue is that i groups the incidents by 2 o'clock am. But I want to group per day, from midnight to midnight.</P> <P>The numbers in screenshot aren't correct. The correct numbers should be:</P> <P>26.09 &gt; 4<BR />25.09 &gt; 4<BR />24.09 &gt; 5</P> <P>You can check it yourself with this screenshot:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="micomi_1-1727368690643.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/62423iC61765F7C3836816/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="micomi_1-1727368690643.png" alt="micomi_1-1727368690643.png" /></span></P> <P>The issue are those incidents which were generated shortly after midnight.</P> <P>Any ideas?</P> <P>&nbsp;</P> Thu, 26 Sep 2024 16:38:42 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598879#M7234 micomi 2024-09-26T16:38:42Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598890#M7237 <P>I have tried you query, and in my case it also showed incorrect numbers.</P> <P>I have added the timeshift and my timezone and it worked well:</P> <P>&nbsp;</P> <P>config timeframe = 30d<BR />| dataset = incidents <BR />| sort desc creation_time<BR />| bin creation_time span = 1D timeshift = 1615353499 timezone = "-3:00"<BR />| comp count(creation_time ) as incidents_by_day by creation_time</P> <P>&nbsp;</P> <P>Take a look at this <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/Bin" target="_self">documentation</A> statement: <EM>"The query still runs without defining the epoch time or time zone. If no&nbsp;<CODE class="code hljs language-ini"><SPAN class="hljs-attr">timeshift</SPAN>&nbsp;= &lt;epoch time&gt; timezone =&nbsp;<SPAN class="hljs-string">"&lt;time zone&gt;"</SPAN></CODE>&nbsp;is set, the query runs according to last time set in the log."</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 26 Sep 2024 17:58:55 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598890#M7237 jmazzeo 2024-09-26T17:58:55Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598958#M7239 <P>I don't get it to work. What value should I choose for timeshift?</P> <P>For the timezone I use a CEST timezone but it still doesn't work. Same behaviour as before.</P> Fri, 27 Sep 2024 11:28:15 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598958#M7239 micomi 2024-09-27T11:28:15Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598996#M7243 <P>You need to use the same timeshift value that shows the documentation:&nbsp;<SPAN>1615353499</SPAN></P> Fri, 27 Sep 2024 15:50:24 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/group-events-with-xql-bin-stage/m-p/598996#M7243 jmazzeo 2024-09-27T15:50:24Z