date_floor

Cortex XDR XQL date_floor() function rounds a timestamp value for a field or function result that contains a number down to the nearest whole value.

Synopsis

date_floor (
<timestamp field>
, "<
time unit
>" [, "
<time zone>
")

Description

The
date_floor()
function converts a timestamp value for a particular field or function result that contains a number, and returns a timestamp rounded down to the nearest whole value of a specified <time unit>, including a year (y), month (mo), week (w), day (d), or hour (h). The
<time zone>
offset is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". When you do not configure a timezone, the default is
UTC
.

Examples

Returns a maximum of 100
xdr_data
records with the events of the
_time
field that are less than equal to a timestamp value. The timestamp value undergoes a number of different function manipulations. The current time is first rounded to the nearest whole value for the week according to the America/Los_Angeles time zone. This timestamp value is then converted to the Unix epoch timestamp format in seconds and is added to the -2073600 Unix epoch time. This Unix epoch time value in seconds is then converted to the final timestamp value that is used to filter the
_time
fields and return the resulting records.
dataset = xdr_data | filter _time < to_timestamp(add(to_epoch(date_floor(current_time(),"w", "America/Los_Angeles")),-2073600)) | limit 100

Recommended For You