Panther p_occurs_between returns "Your query did not return any results"

Issue

When trying to use the Data Explorer macro p_occurs_between(), I expect to see data returned. Data Explorer displays a message that says, "Your query did not return any results." 

Resolution

To resolve this issue, try the following steps:

• Make sure that you are targeting the appropriate table. For instance, verify if you're aiming for panther_logs or panther_rule_matches.

• Make sure the macro's first parameter indicates a time before the second parameter. For example, if you try p_occurs_between(current_date-1, current_date-2) this will return no data because current_date-1 is yesterday and current_date-2 is the day before yesterday, so p_occurs_between() will look for data that occurred after yesterday and before the day after yesterday.

  • When using dates in p_occurs_between() without specifying times in hours or minutes, note that the query acts the same as if you added the time stamp 00:00:00 to each date. This will almost always exclude all data from the latter date.

• Make sure there is data available in your target time range. For example, if you try p_occurs_between(current_date-2, current_date-1) and no data appears, it's possible that data stopped flowing 3 days ago and started again today. To check for this, try a query using a larger time window than you need, like p_occurs_since(current_date-5) or similar.

Cause

This can be caused by a misconfiguration or by targeting a time range when no data was flowing.