to_epoch

Cortex XDR XQL to_epoch() function converts a timestamp value for a particular field or function to the Unix epoch timestamp format.

Synopsis

to_epoch (<
timestamp
>, <
time unit
>)

Description

The
to_epoch()
function converts a timestamp value for a particular field or function to the Unix epoch timestamp format. This function requires a
<time unit>
value, which indicates whether the integer value for the Unix epoch timestamp format represents seconds (default), milliseconds, or microseconds. If no
<time unit>
is configured, the default is used. Supported values are:
  • SECONDS
  • MILLIS
  • MICROS
For example:
Returns a maximum of 100
xdr_data
records with the events of the
_time
field, which includes a timestamp field in the Unix epoch format called
ts
. The
ts
field contains the equivalent Unix epoch values in milliseconds for the timestamps listed in the
_time
field.
dataset = xdr_data | filter _time != null | alter ts = to_epoch(_time, "MILLIS") | fields ts | limit 100

Recommended For You