Document:Cortex XDR™ XQL Language Reference

parse_timestamp

Search the Table of Contents

copyright
- copyright
Get Started with XQL
Stages Commands Reference
- Alter
- Arrayexpand
- Bin
- Comp
  - avg
  - count
  - count_distinct
  - earliest
  - first
  - last
  - latest
  - list
  - max
  - min
  - sum
  - values
- Config
  - case_sensitive
  - timeframe
- Dedup
- Fields
- Filter
- Join
- Iploc
- Limit
- Replacenull
- Sort
- Target
- Union
- View
XQL Functions Reference
- add
- arrayconcat
- arraycreate
- arraydistinct
- arrayfilter
- arrayindex
- arrayindexof
- array_length
- arraymap
- arraymerge
- arrayrange
- arraystring
- coalesce
- concat
- current_time
- divide
- extract_time
- format_string
- format_timestamp
- floor
- if
- incidr
- incidrlist
- json_extract
- json_extract_array
- json_extract_scalar
- len
- lowercase
- multiply
- object_create
- parse_timestamp
- pow
- regextract
- replace
- replex
- round
- split
- string_count
- subtract
- timestamp_diff
- timestamp_seconds
- to_boolean
- to_float
- to_integer
- to_json_string
- to_number
- to_string
- to_timestamp
- trim
- uppercase

parse_timestamp

Cortex XDR XQL parse_timestamp() function returns a TIMESTAMP object after converting a string representation of a timestamp.

Synopsis

parse_timestamp("<time string>", format_string("<format string>", <field_1>, <field_2>,...<field_n> ))

parse_timestamp("<time string>", format_string("<format string>", <field_1>, <field_2>,...<field_n> ), "<time zone>")

Description

The

parse_timestamp()

function returns a TIMESTAMP object after converting a string representation of a timestamp. The

offset is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". The

parse_timestamp()

function should include both an Alter stage and format_string function. For more information, see the examples below. The

format_string

function contains the format elements that define how the

parse_timestamp

string is formatted. Each element in the

parse_timestamp

string must have a corresponding element in

format_string

. The location of each element in the

format_string

must match the location of each element in

parse_timestamp

For example:

Without a time zone configured

Returns a maximum of 100

microsoft_dhcp_raw

records, which includes a TIMESTAMP object in the p_t_test field in the format MMM dd YYYY HH:mm:ss, such as Jun 25th 2021 18:31:25. This format is detailed in the

format_string

function, which includes merging both the

date

and

time

fields.

dataset = microsoft_dhcp_raw 
| alter p_t_test = parse_timestamp("%m/%d/%y %H:%M:%S", format_string("%s %s", date, time)) 
| fields p_t_test 
| limit 100

With a time zone name configured

Returns a maximum of 100

microsoft_dhcp_raw

records, which includes a TIMESTAMP object in the p_t_test field in the format MMM dd YYYY HH:mm:ss, such as Jun 25th 2021 18:31:25. This format is detailed in the

format_string

function, which includes merging both the

date

and

time

fields, and includes a "Asia/Singapore" time zone.

dataset = microsoft_dhcp_raw 
| alter p_t_test = parse_timestamp("%m/%d/%y %H:%M:%S", format_string("%s %s", date, time), "Asia/Singapore") 
| fields p_t_test 
| limit 100

With a time zone configured using an hours offset

Returns a maximum of 100

microsoft_dhcp_raw

records, which includes a TIMESTAMP object in the p_t_test field in the format MMM dd YYYY HH:mm:ss, such as Jun 25th 2021 18:31:25. This format is detailed in the

format_string

function, which includes merging both the

date

and

time

fields, and includes a time zone using an hours offset of “+08:00”.

dataset = microsoft_dhcp_raw 
| alter p_t_test = parse_timestamp("%m/%d/%y %H:%M:%S", format_string("%s %s", date, time), “+08:00”) 
| fields p_t_test 
| limit 100

Document:Cortex XDR™ XQL Language Reference

parse_timestamp

Table of Contents

parse_timestamp

Synopsis

Description

Recommended For You

Recommended Videos