When I’m building dashboards to display numerical values over time on a YARA-L/native dashboard (line chart, bar chart, etc.), I encounter an issue where the first day appears to be off trend because the full day of data is not captured.
i.e. if I set the filters to “Last 7 Days”, then “Today - 7” and “Today” are inclusive, although they are not “full days”
With Looker/legacy dashboards, there was an ability to filter on “complete days” , (complete hours, complete months, etc.)
Is there a way to set the YARA-L query or the dashboard filters to account for only complete days?
I think in the past i resolved this gap by creating a custom time filter and using the "hours" option. For example, instead of selecting 1 day, try using 24 hours; instead of 7 days, use 168 hours.
Another method is to filter events based on their date within your YARA-L query. The standard "Global Time Filter" in Google Security Operations dashboards allows you to select relative time ranges (e.g., "Past 7 days") or absolute ranges, but it doesn't have a specific built-in option to "exclude the current day" or "only include full days." Relative time ranges typically include the current partial day.
To ensure you are only analyzing complete days, you can implement date comparison logic directly within your YARA-L queries for the dashboard charts.
Here’s how you can do it:
Get the Event Date: Use the timestamp.get_date() function to extract the date string from the event's timestamp (e.g., metadata.event_timestamp.seconds).
Get the Current Date: Use timestamp.current_seconds() to get the current Unix timestamp and convert that to a date string using timestamp.get_date().
Compare the Dates: Include events only where the event date is before the current date. Since timestamp.get_date() returns the date in YYYY-MM-DD format, string comparison works correctly for this.
Here’s an example of the filtering line you would add to the events section or as a standalone filter statement in a dashboard query:
// Assuming UTC timezone for comparison. Adjust timezone string if needed. timestamp.get_date(metadata.event_timestamp.seconds, "UTC") < timestamp.get_date(timestamp.current_seconds(), "UTC")
Example in a Dashboard Query:
// Example: Count events per day, excluding today
// Filter out events from the current day timestamp.get_date(metadata.event_timestamp.seconds, "UTC") < timestamp.get_date(timestamp.current_seconds(), "UTC")
Another method is to filter events based on their date within your YARA-L query. The standard "Global Time Filter" in Google Security Operations dashboards allows you to select relative time ranges (e.g., "Past 7 days") or absolute ranges, but it doesn't have a specific built-in option to "exclude the current day" or "only include full days." Relative time ranges typically include the current partial day.
To ensure you are only analyzing complete days, you can implement date comparison logic directly within your YARA-L queries for the dashboard charts.
Here’s how you can do it:
Get the Event Date: Use the timestamp.get_date() function to extract the date string from the event's timestamp (e.g., metadata.event_timestamp.seconds).
Get the Current Date: Use timestamp.current_seconds() to get the current Unix timestamp and convert that to a date string using timestamp.get_date().
Compare the Dates: Include events only where the event date is before the current date. Since timestamp.get_date() returns the date in YYYY-MM-DD format, string comparison works correctly for this.
Here’s an example of the filtering line you would add to the events section or as a standalone filter statement in a dashboard query:
// Assuming UTC timezone for comparison. Adjust timezone string if needed. timestamp.get_date(metadata.event_timestamp.seconds, "UTC") < timestamp.get_date(timestamp.current_seconds(), "UTC")
Example in a Dashboard Query:
// Example: Count events per day, excluding today
// Filter out events from the current day timestamp.get_date(metadata.event_timestamp.seconds, "UTC") < timestamp.get_date(timestamp.current_seconds(), "UTC")
