From d74f20959b12d98573d401d2dcb8552d65f84a08 Mon Sep 17 00:00:00 2001
From: Jason Straw <jason.straw@gmail.com>
Date: Fri, 5 Apr 2024 11:25:49 -0500
Subject: [PATCH] Automatically get changes in last day

Given that the Events endpoint has a lot of data in it (partitioned by day) ask for only events that occurred in the last day by using the date command to generate the timestamp
---
 _docs/pql_queries.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/_docs/pql_queries.md b/_docs/pql_queries.md
index 37ac5a0..c88d892 100644
--- a/_docs/pql_queries.md
+++ b/_docs/pql_queries.md
@@ -124,7 +124,7 @@ and saves reports on a per-day partition. By filtering for the current day we
 avoid scans on other partitions.
 
 ```
-puppet query 'events[certname]{corrective_change = true and report_receive_time > "2024-04-05T06:06:00.000Z" group by certname}'
+puppet query "events[certname]{corrective_change = true and report_receive_time > \"$(date -u --date='1 day ago' +%Y-%m-%dT%H:%M:%S.000Z)\" group by certname}"
 ```
 
 ### Get all inactive nodes