Guides

Dates and Times

Dates in FSQL can be described as relative dates, ISO 8601 dates, or epoch timestamps. Time ranges are specified with SINCE (how far back to start) and UNTIL (where to stop).

FSQL resolves relative windows into absolute times and passes those absolute values through to source systems. FSQL does not globally normalize all query times to UTC before sending them downstream.

Relative Dates

Relative dates describe a time relative to when FSQL receives your query, and can be described in minutes, hours, days, weeks, or months.

Supported time units:

  • Minutes: m, min, mins, minute, minutes
  • Hours: h, hr, hour, hrs, hours
  • Days: d, day, days
  • Weeks: w, week, weeks, wk, wks
  • Months: mo, mos,month, months, mon, mons

Examples:

QUERY ... SINCE 7d
QUERY ... SINCE 1 month
QUERY ... SINCE 48hrs UNTIL 24hrs

Relative dates can also be combined:

QUERY ... SINCE 2 weeks 3 days

ISO 8601 Dates

Absolute dates can be described using the ISO 8601 date format.

ISO 8601 dates must be quoted and must contain a month, day, and year. They may optionally include hours and minutes, seconds, and timezone offsets as hours and minutes from UTC.

QUERY ... SINCE '2025-04-01'
QUERY ... SINCE '2025-04-01 17:30'
QUERY ... SINCE '2025-04-01 17:30:00'
QUERY ... SINCE '2025-04-01 17:30:00.1234'
QUERY ... SINCE '2024-04-01 17:30-05:00'
QUERY ... SINCE '2024-04-01 17:30:00.1234-5:00'

Epoch Timestamps

Dates described in epoch timestamp format (Unix timestamps) should be described unquoted as seconds since January 1st, 1970. Epoch values represent an absolute point in time and are passed through as provided.

QUERY ... UNTIL 1746109163

Timezones and Multi-Region Investigations

FSQL supports timezone-aware absolute timestamps and passes the absolute times you specify to downstream systems.

Practical guidance:

  • Prefer explicit timezone offsets in absolute timestamps when sharing queries across teams.
  • Use UTC (+00:00) for incident timelines and handoffs between SOC regions when you want a shared baseline.
  • Relative ranges (SINCE 24hrs, SINCE 7d) are often safest for shared detections because they avoid local timezone ambiguity.

Examples:

-- Explicit local offset (US Eastern)
QUERY authentication.** SINCE '2026-03-31 09:00:00-04:00' UNTIL '2026-03-31 17:00:00-04:00'

-- Equivalent UTC window for cross-region sharing
QUERY authentication.** SINCE '2026-03-31 13:00:00+00:00' UNTIL '2026-03-31 21:00:00+00:00'

When investigating "same-time" activity across regions, use explicit offsets (or UTC) so all analysts are working from the same absolute time window.

Alternative Syntax

AFTER and BEFORE are supported as aliases for SINCE and UNTIL, respectively. You may encounter these in older queries or documentation. AFTER is equivalent to SINCE and BEFORE is equivalent to UNTIL.

Updated about 2 months ago