format_timestamp

Cortex XDR XQL format_timestamp() function returns a string after formatting a timestamp according to a specified string format.

Synopsis

format_timestamp("<format string>", <timestamp field>)

format_timestamp("<format string>", <timestamp field>, "<time zone>")

The

format_timestamp()

function returns a string after formatting a timestamp according to a specified string format. The

is optional to configure. The

format_timestamp()

function should include an Alter stage. For more information, see the examples below.

Examples

Without a time zone configured

Returns a maximum of 100

xdr_data

records, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 12:10:30. This format is detailed in the

format_timestamp

function, which defines retrieving the new_time (

%Y/%m/%d %H:%M:%S

) from the

_time

field.

dataset = xdr_data
| alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time) 
| fields new_time 
| limit 100

With a time zone configured

Returns a maximum of 100

xdr_data

records, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 01:53:35. This format is detailed in the

format_timestamp

function, which defines the retrieving the new_time (

%Y/%m/%d %H:%M:%S

) from the

_time

field and adding +03:00 hours as the time zone format.

dataset = xdr_data  
| alter hour = format_timestamp("%Y/%m/%d %H:%M:%S", _time, "+03:00") 
| fields hour 
| limit 100