Skip to main content
Question

pin date to full day in YARA-L/native dashboards

  • September 18, 2025
  • 3 replies
  • 60 views
jdavisson_CYD
Forum|alt.badge.img+2

When I’m building dashboards to display numerical values over time on a YARA-L/native dashboard (line chart, bar chart, etc.), I encounter an issue where the first day appears to be off trend because the full day of data is not captured.

i.e. if I set the filters to “Last 7 Days”, then “Today - 7” and “Today” are inclusive, although they are not “full days” 

 

With Looker/legacy dashboards, there was an ability to filter on “complete days” , (complete hours, complete months, etc.)

 

Is there a way to set the YARA-L query or the dashboard filters to account for only complete days?

 

--

e.g. if I want to plot $Date against $var_count :

 

(event:) 

...

$Date = timestamp.get_date(metadata.ingested_timestamp.seconds)

match:

$Date

outcome:

$var_count = count_distinct($var)

3 replies

Eoved
Forum|alt.badge.img+8
  • EovedBronze 1
  • Bronze 1
  • September 19, 2025

Hi,

I think in the past i resolved this gap by creating a custom time filter and using the "hours" option.
For example, instead of selecting 1 day, try using 24 hours; instead of 7 days, use 168 hours.

 

 

K
Staff
Forum|alt.badge.img
  • kobydayo
  • Staff
  • September 21, 2025

Another  method is to filter events based on their date within your YARA-L query. The standard "Global Time Filter" in Google Security Operations dashboards allows you to select relative time ranges (e.g., "Past 7 days") or absolute ranges, but it doesn't have a specific built-in option to "exclude the current day" or "only include full days." Relative time ranges typically include the current partial day.

To ensure you are only analyzing complete days, you can implement date comparison logic directly within your YARA-L queries for the dashboard charts.

Here’s how you can do it:

  1. Get the Event Date: Use the timestamp.get_date() function to extract the date string from the event's timestamp (e.g., metadata.event_timestamp.seconds).
  2. Get the Current Date: Use timestamp.current_seconds() to get the current Unix timestamp and convert that to a date string using timestamp.get_date().
  3. Compare the Dates: Include events only where the event date is before the current date. Since timestamp.get_date() returns the date in YYYY-MM-DD format, string comparison works correctly for this.

Here’s an example of the filtering line you would add to the events section or as a standalone filter statement in a dashboard query:

// Assuming UTC timezone for comparison. Adjust timezone string if needed. timestamp.get_date(metadata.event_timestamp.seconds, "UTC") < timestamp.get_date(timestamp.current_seconds(), "UTC")

Example in a Dashboard Query:

// Example: Count events per day, excluding today

// Filter out events from the current day timestamp.get_date(metadata.event_timestamp.seconds, "UTC") < timestamp.get_date(timestamp.current_seconds(), "UTC")

// Other filters can be added here

// e.g., metadata.event_type = "USER_LOGIN"

$date = timestamp.get_date(metadata.event_timestamp.seconds, "UTC") match: $date outcome: $event_count = count(metadata.id) order: $date asc

jdavisson_CYD
Forum|alt.badge.img+2
  • jdavisson_CYDBronze 2
  • Author
  • Bronze 2
  • September 25, 2025

Another  method is to filter events based on their date within your YARA-L query. The standard "Global Time Filter" in Google Security Operations dashboards allows you to select relative time ranges (e.g., "Past 7 days") or absolute ranges, but it doesn't have a specific built-in option to "exclude the current day" or "only include full days." Relative time ranges typically include the current partial day.

To ensure you are only analyzing complete days, you can implement date comparison logic directly within your YARA-L queries for the dashboard charts.

Here’s how you can do it:

  1. Get the Event Date: Use the timestamp.get_date() function to extract the date string from the event's timestamp (e.g., metadata.event_timestamp.seconds).
  2. Get the Current Date: Use timestamp.current_seconds() to get the current Unix timestamp and convert that to a date string using timestamp.get_date().
  3. Compare the Dates: Include events only where the event date is before the current date. Since timestamp.get_date() returns the date in YYYY-MM-DD format, string comparison works correctly for this.

Here’s an example of the filtering line you would add to the events section or as a standalone filter statement in a dashboard query:

// Assuming UTC timezone for comparison. Adjust timezone string if needed. timestamp.get_date(metadata.event_timestamp.seconds, "UTC") < timestamp.get_date(timestamp.current_seconds(), "UTC")

Example in a Dashboard Query:

// Example: Count events per day, excluding today

// Filter out events from the current day timestamp.get_date(metadata.event_timestamp.seconds, "UTC") < timestamp.get_date(timestamp.current_seconds(), "UTC")

// Other filters can be added here

// e.g., metadata.event_type = "USER_LOGIN"

$date = timestamp.get_date(metadata.event_timestamp.seconds, "UTC") match: $date outcome: $event_count = count(metadata.id) order: $date asc

 

This would exclude the current day, but I’m still in need of a way to exclude the partial day that is e.g. $Today - 7d.

Terms & ConditionsCookie settingsAccessibility statement
Privacy Policy Terms of Service Gen AI Policy Community Guidelines Cookie Settings

© 2025 Google. All rights reserved.