Learn more about the Cortex Query Language format_timestamp()
function that returns a string after formatting a timestamp according to a specified string format.
Syntax
format_timestamp("<format string>", <timestamp field>)
format_timestamp("<format string>", <timestamp field>, "<time zone>")
Description
The format_timestamp()
function returns a string after formatting a timestamp according to a specified string format. The <time zone>
is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". The format_timestamp()
function should include an alter stage. For more information, see the examples below.
Examples
Without a time zone configured
Returns a maximum of 100
xdr_data
records, which includes a string field callednew_time
in the formatYYYY/MM/dd HH:mm:ss
, such as 2021/11/12 12:10:30. This format is detailed in theformat_timestamp
function, which defines retrieving the new_time (%Y/%m/%d %H:%M:%S
) from the_time
field.dataset = xdr_data | alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time) | fields new_time | limit 100
With a time zone configured using an hours offset
Returns a maximum of 100
xdr_data
records, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 01:53:35. This format is detailed in theformat_timestamp
function, which defines the retrieving the new_time (%Y/%m/%d %H:%M:%S
) from the_time
field and adding +03:00 hours as the time zone format.dataset = xdr_data | alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time, "+03:00") | fields new_time | limit 100
With a time zone name configured
Returns a maximum of 100
xdr_data
records, which includes a string field callednew_time
in the formatYYYY/MM/dd HH:mm:ss
, such as2021/11/12 01:53:35
. This format is detailed in theformat_timestamp
function, which defines the retrieving thenew_time
(%Y/%m/%d %H:%M:%S
) from the_time
field, and includes an "America/Chicago" time zone.dataset = xdr_data | fields _time | alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time, "America/Chicago") | fields new_time | limit 100