https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-incident-count-doesn-t-match-ui-incident-count-same-date/m-p/1226915#M8240 <P class="" data-start="248" data-end="260">Hi everyone,</P> <P class="" data-start="262" data-end="370">I’m working on a report using Cortex XQL to count incidents created between <STRONG data-start="338" data-end="369">March 15 and March 31, 2025</STRONG>.</P> <P class="" data-start="262" data-end="370">&nbsp;</P> <P class="" data-start="372" data-end="399">Here’s the query I’m using:</P> <LI-CODE lang="markup">config timeframe between "2025-03-15 00:00:00" and "2025-03-31 23:59:59" | dataset = incidents | filter creation_time &gt;= "2025-03-15 00:00:00" and creation_time &lt; "2025-03-31 23:59:59" | fields incident_id, creation_time </LI-CODE> <P class="" data-start="771" data-end="814">However, I’m getting <STRONG data-start="792" data-end="813">different results</STRONG>:</P> <UL data-start="815" data-end="889"> <LI class="" data-start="815" data-end="857"> <P class="" data-start="817" data-end="857"><STRONG data-start="817" data-end="839">XQL query returns:</STRONG> <SPAN>2,293</SPAN>&nbsp;incidents</P> </LI> <LI class="" data-start="858" data-end="889"> <P class="" data-start="860" data-end="889"><STRONG data-start="860" data-end="873">UI shows:</STRONG> 2,347 incidents</P> </LI> </UL> <P class="" data-start="1118" data-end="1284"><STRONG data-start="1120" data-end="1216">Why would the XQL return less incidents than the UI, even with the same creation time range?</STRONG><BR data-start="1216" data-end="1219" />Are there hidden filters in the UI or something else I'm missing?</P> <P class="" data-start="1286" data-end="1316">Any help would be appreciated!</P> Sun, 20 Apr 2025 10:02:07 GMT Chamindu 2025-04-20T10:02:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-incident-count-doesn-t-match-ui-incident-count-same-date/m-p/1226915#M8240 <P class="" data-start="248" data-end="260">Hi everyone,</P> <P class="" data-start="262" data-end="370">I’m working on a report using Cortex XQL to count incidents created between <STRONG data-start="338" data-end="369">March 15 and March 31, 2025</STRONG>.</P> <P class="" data-start="262" data-end="370">&nbsp;</P> <P class="" data-start="372" data-end="399">Here’s the query I’m using:</P> <LI-CODE lang="markup">config timeframe between "2025-03-15 00:00:00" and "2025-03-31 23:59:59" | dataset = incidents | filter creation_time &gt;= "2025-03-15 00:00:00" and creation_time &lt; "2025-03-31 23:59:59" | fields incident_id, creation_time </LI-CODE> <P class="" data-start="771" data-end="814">However, I’m getting <STRONG data-start="792" data-end="813">different results</STRONG>:</P> <UL data-start="815" data-end="889"> <LI class="" data-start="815" data-end="857"> <P class="" data-start="817" data-end="857"><STRONG data-start="817" data-end="839">XQL query returns:</STRONG> <SPAN>2,293</SPAN>&nbsp;incidents</P> </LI> <LI class="" data-start="858" data-end="889"> <P class="" data-start="860" data-end="889"><STRONG data-start="860" data-end="873">UI shows:</STRONG> 2,347 incidents</P> </LI> </UL> <P class="" data-start="1118" data-end="1284"><STRONG data-start="1120" data-end="1216">Why would the XQL return less incidents than the UI, even with the same creation time range?</STRONG><BR data-start="1216" data-end="1219" />Are there hidden filters in the UI or something else I'm missing?</P> <P class="" data-start="1286" data-end="1316">Any help would be appreciated!</P> Sun, 20 Apr 2025 10:02:07 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-incident-count-doesn-t-match-ui-incident-count-same-date/m-p/1226915#M8240 Chamindu 2025-04-20T10:02:07Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-incident-count-doesn-t-match-ui-incident-count-same-date/m-p/1227537#M8263 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/320316">@Chamindu</a>&nbsp;,</P> <UL data-start="166" data-end="375"> <LI class="" data-start="166" data-end="266"> <P class="" data-start="168" data-end="266"><STRONG data-start="168" data-end="183">UI Behavior</STRONG>: <SPAN class="relative -mx-px my-[-0.2rem] rounded px-px py-[0.2rem] transition-colors duration-100 ease-in-out">The Cortex XDR UI filters incidents based on the <CODE data-start="49" data-end="56">_time</CODE> field, which represents the last update time of an incident. This means that incidents created before your specified date range but updated within it will still appear in the UI results.</SPAN>​</P> </LI> <LI class="" data-start="268" data-end="375"> <P class="" data-start="270" data-end="375"><STRONG data-start="270" data-end="292">XQL Query Behavior</STRONG>: <SPAN class="relative -mx-px my-[-0.2rem] rounded px-px py-[0.2rem] transition-colors duration-100 ease-in-out">Your XQL query filters incidents based on the <CODE data-start="46" data-end="61">creation_time</CODE> field, capturing only those incidents that were created within the specified timeframe. This approach excludes incidents that were created earlier but updated during your date range.</SPAN>​</P> </LI> </UL> <P class="" data-start="526" data-end="570">To align your XQL query results with the UI:</P> <OL data-start="572" data-end="1064"> <LI class="" data-start="572" data-end="938"> <P class="" data-start="575" data-end="688"><STRONG data-start="575" data-end="601">Adjust the Time Filter</STRONG>: <SPAN class="relative -mx-px my-[-0.2rem] rounded px-px py-[0.2rem] transition-colors duration-100 ease-in-out">Modify your XQL query to filter based on the <CODE data-start="45" data-end="52">_time</CODE> field instead of <CODE data-start="70" data-end="85">creation_time</CODE>. This change will include incidents that were updated within your specified date range, matching the UI behavior.</SPAN>​</P> <P class="" data-start="693" data-end="711"><STRONG data-start="693" data-end="710">Updated Query</STRONG>:</P> <DIV class="contain-inline-size rounded-md border-[0.5px] border-token-border-medium relative bg-token-sidebar-surface-primary"> <DIV class="flex items-center text-token-text-secondary px-4 py-2 text-xs font-sans justify-between h-9 bg-token-sidebar-surface-primary dark:bg-token-main-surface-secondary select-none rounded-t-[5px]">&nbsp;</DIV> <DIV class="overflow-y-auto p-4" dir="ltr"><CODE class="whitespace-pre! language-xql"><SPAN>config timeframe between "2025-03-15 00:00:00" and "2025-03-31 23:59:59" | dataset = incidents | filter _time &gt;= "2025-03-15 00:00:00" and _time &lt;= "2025-03-31 23:59:59" | fields incident_id, _time </SPAN></CODE></DIV> </DIV> </LI> <LI class="" data-start="940" data-end="1064"> <P class="" data-start="943" data-end="1064"><STRONG data-start="943" data-end="977">Clarify Reporting Requirements</STRONG>: <SPAN class="relative -mx-px my-[-0.2rem] rounded px-px py-[0.2rem] transition-colors duration-100 ease-in-out">If your reporting needs specifically require incidents based on their creation time, continue using the <CODE data-start="104" data-end="119">creation_time</CODE> filter. However, be aware that this will result in a lower count compared to the UI, which includes updated incidents.</SPAN></P> </LI> </OL> <P>&nbsp;</P> <P><SPAN class="relative -mx-px my-[-0.2rem] rounded px-px py-[0.2rem] transition-colors duration-100 ease-in-out"><SPAN>If you feel this has answered your query, please let us know by clicking like and&nbsp; on "mark this as a Solution". Thank you.</SPAN></SPAN></P> Mon, 28 Apr 2025 09:53:25 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/xql-incident-count-doesn-t-match-ui-incident-count-same-date/m-p/1227537#M8263 aspatil 2025-04-28T09:53:25Z