Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

XQL query between 2 dates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

XQL query between 2 dates

L2 Linker

Hi,

 

I want to query a specific number of events between 2 dates.

 

I have this query below, but it is missing the "between current_date and last 5 minutes"

dataset = fortinet_fortiauthenticator_vm_raw | filter deviceSeverity != "information" | filter deviceSeverity != "notice" | filter deviceSeverity = "warning"
| comp count(msg) as counter
| filter counter > 5

 

Could you help pls

 

Regards,

 

1 accepted solution

Accepted Solutions

L4 Transporter

FabioFerreira,

 

You can use the config stage command to specify a timeframe like so...

 

config timeframe = 5m
| dataset = fortinet_fortiauthenticator_vm_raw | filter deviceSeverity != "information" | filter deviceSeverity != "notice" | filter deviceSeverity = "warning"
| comp count(msg) as counter
| filter counter > 5

View solution in original post

2 REPLIES 2

L4 Transporter

FabioFerreira,

 

You can use the config stage command to specify a timeframe like so...

 

config timeframe = 5m
| dataset = fortinet_fortiauthenticator_vm_raw | filter deviceSeverity != "information" | filter deviceSeverity != "notice" | filter deviceSeverity = "warning"
| comp count(msg) as counter
| filter counter > 5

L0 Member

Hi everyone,

 

I need your help. I wanna create new rule about FW action. Actually my new rules purpose is If there are a lot of FW action drop and next FW allow in 5 minutes. But I dont know how can i create this. In the below just L2L drop logs .

 

|dataset = panw_ngfw_traffic_raw
|filter source_ip incidr "172.16.0.0/12" or source_ip incidr "192.168.0.0/16" or source_ip incidr "10.0.0.0/8"
|filter dest_ip incidr "172.16.0.0/12" or dest_ip incidr "192.168.0.0/16" or dest_ip incidr "10.0.0.0/8"
|comp count(action ) as action_count by source_ip,action,dest_ip
|dedup source_ip
|filter action_count > 1000 and action ="drop"

  • 1 accepted solution
  • 1808 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!