From 7ee3017b3dcdb770e19a3264505baf4557e0e07d Mon Sep 17 00:00:00 2001 From: arane26 <83054468+arane26@users.noreply.github.com> Date: Thu, 12 Dec 2024 08:43:30 -0800 Subject: [PATCH] [Cloud Security-S&I] RQL Operators (#1022) * [Cloud Security-S&I] RQL Operators * note update * rephrased note --- .../search-and-investigate/rql-operators.adoc | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/search-and-investigate/rql-operators.adoc b/docs/en/enterprise-edition/content-collections/search-and-investigate/rql-operators.adoc index dcca725a2a..525e509c00 100644 --- a/docs/en/enterprise-edition/content-collections/search-and-investigate/rql-operators.adoc +++ b/docs/en/enterprise-edition/content-collections/search-and-investigate/rql-operators.adoc @@ -648,13 +648,16 @@ GSON/AWS: "Nov 7, 2016 9:34:21 AM" ISO: "2011-12-04T10:15:30+01:00" -The query time ranges that are available are `_DateTime.ageInDays` , `_DateTime.ageInMonths` , `_DateTime.ageInYears` , and `_DateTime.daysBetween` . The `_DateTime.daysBetween` function looks for any information that falls in between two dates and takes two dates as arguments. +The query time ranges that are available are `_DateTime.ageInDays` , `_DateTime.ageInMonths` , `_DateTime.ageInYears` , and `_DateTime.daysBetween` . The `_DateTime.daysBetween` function looks for any information that falls in between two dates and takes two dates as arguments. For example, the `_DateTime.ageInDays` returns the number of days until a date as a negative number. + [NOTE] ==== -When using the _DateTime function all json parameters are available as auto-complete options, you must select only parameters that have timestamps. Also, the syntax for a function does not support spaces. Remove empty spaces before or after parenthesis, and between comma-separated parameters. +* For your query to work properly, ensure RQL json.rule functions are wrapped in single quotes (``). If single quotes are not added, the RQL will not be valid and cannot be executed. + +* When using the _DateTime function all json parameters are available as auto-complete options, you must select only parameters that have timestamps. The syntax for a function does not support spaces, so make sure to remove empty spaces before or after parenthesis, and also between comma-separated parameters. ==== [cols="49%a,51%a"]