parse_epoch

Cortex XDR XQL parse_epoch() function returns a Unix epoch TIMESTAMP object after converting a string representation of a timestamp.

Synopsis

parse_epoch("
<format string>
",
<timestamp field>
[, "
<time zone>
",] ["
<time unit>
"])

Description

The
parse_epoch()
function returns a Unix epoch TIMESTAMP object after converting a string representation of a timestamp. The
<time zone>
offset is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". When you do not configure a timezone, the default is
UTC
. The
<time unit>
is optional to configure and indicates whether the Unix epoch integer value represents seconds, milliseconds, or microseconds. These values are supported, and the default is used when none is configured:
  • SECONDS (default)
  • MILLIS
  • MICROS
The order of the
<time zone>
and
<time unit>
matters. The
<time zone>
must be defined first followed by the
<time unit>
. If the
<time zone>
is set after the
<time unit>
, the default time zone is used and the configured value is ignored.
Examples
  • With a time zone configured
    Returns a maximum of 100
    xdr_data
    records, which includes a timestamp field called
    new_time
    in the format MMM dd YYYY HH:mm:ss, such as Dec 25th 2008 04:30:00. This
    new_time
    field is comprised by taking a character string representation of a timestamp "Thu Dec 25 07:30:00 2008" and adding to it +03:00 hours as the time zone format. This string timestamp is then converted to a Unix epoch TIMESTAMP object in milliseconds using the
    parse_epoch
    function, and this resulting value is converted to the final timestamp using the to_timestamp function.
    dataset = xdr_data | alter new_time = to_timestamp(parse_epoch("%c", "Thu Dec 25 07:30:00 2008", "+3", "millis")) | fields new_time | limit 100
  • Without a time zone or time unit configured
    Returns a maximum of 100
    xdr_data
    records, which includes a timestamp field called
    new_time
    in the format MMM dd YYYY HH:mm:ss, such as Dec 25th 2008 04:30:00. This
    new_time
    field is comprised by taking a character string representation of a timestamp "Thu Dec 25 07:30:00 2008" and adding to it a UTC time zone format (default when none configured). This string timestamp is then converted to a Unix epoch TIMESTAMP object in seconds (default when none configured) using the
    parse_epoch
    function, and this resulting value is converted to the final timestamp using the to_timestamp function.
    dataset = xdr_data | alter new_time = to_timestamp(parse_epoch("%c", "Thu Dec 25 07:30:00 2008")) | fields new_time | limit 100

Recommended For You