timestamp_diff
Cortex XDR XQL timestamp_diff() function returns the difference between two timestamp objects.
Synopsis
timestamp_diff (<timestamp1>, <timestamp2>, <part>)
Description
The
timestamp_diff()
function returns the difference
between two timestamp objects. The units used to express the difference is identified
by the part
parameter. The second timestamp is subtracted
from the first timestamp. If the first timestamp is greater than the second, a negative value
is returned. If the result of this function is between 0 and 1, 0 is returned.
Supported parts are:
- DAY
- HOUR
- MINUTE
- SECOND
- MILLISECOND
- MICROSECOND
For example:
dataset = xdr_data | filter story_publish_timestamp != null | alter ts = to_timestamp(story_publish_timestamp, "MILLIS") | alter ct = current_time() | alter diff = timestamp_diff(ct, ts, "MINUTE") | fields ts, ct, diff | limit 1
Recommended For You
Recommended Videos
Recommended videos not found.
