1. Home
    2. Cortex
    3. Cortex XDR
    4. Cortex XDR™ XQL Language Reference
    5. XQL Functions Reference
    6. timestamp_diff

    timestamp_diff

    Cortex XDR XQL timestamp_diff() function returns the difference between two timestamp objects.

    Synopsis

    timestamp_diff (<
    timestamp1
    >, <
    timestamp2
    >, <
    part
    >)

    Description

    The
    timestamp_diff()
     function returns the difference between two timestamp objects. The units used to express the difference is identified by the
    part
     parameter. The second timestamp is subtracted from the first timestamp. If the first timestamp is greater than the second, a negative value is returned. If the result of this function is between 0 and 1, 0 is returned.
    Supported parts are:
    • DAY
    • HOUR
    • MINUTE
    • SECOND
    • MILLISECOND
    • MICROSECOND
    For example: 
    dataset = xdr_data 
| filter story_publish_timestamp != null 
| alter ts = to_timestamp(story_publish_timestamp, "MILLIS") 
| alter ct = current_time() 
| alter diff = timestamp_diff(ct, ts, "MINUTE") 
| fields ts, ct, diff 
| limit 1

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo