parse_epoch - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product
Cortex XDR
Creation date
2024-03-06
Last date published
2024-11-13
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language parse_epoch() function that returns a Unix epoch TIMESTAMP object.

Syntax
parse_epoch("<format string>", <timestamp field>[, "<time zone>",] ["<time unit>"])
Description

The parse_epoch() function returns a Unix epoch TIMESTAMP object after converting a string representation of a timestamp. The <time zone> offset is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". When you do not configure a timezone, the default is UTC. The <time unit> is optional to configure and indicates whether the Unix epoch integer value represents seconds, milliseconds, or microseconds. These values are supported, and the default is used when none is configured:

  • SECONDS (default)

  • MILLIS

  • MICROS

Important

The order of the <time zone> and <time unit> matters. The <time zone> must be defined first followed by the <time unit>. If the <time zone> is set after the <time unit>, the default time zone is used and the configured value is ignored.

Examples
  • With a time zone configured:

    Returns a maximum of 100 xdr_data records, which includes a timestamp field called new_time in the format MMM dd YYYY HH:mm:ss, such as Dec 25th 2008 04:30:00. This new_time field is comprised by taking a character string representation of a timestamp "Thu Dec 25 07:30:00 2008" and adding to it +03:00 hours as the time zone format. This string timestamp is then converted to a Unix epoch TIMESTAMP object in milliseconds using the parse_epoch function, and this resulting value is converted to the final timestamp using the to_timestamp function.

    dataset = xdr_data
    | alter new_time = to_timestamp(parse_epoch("%c", "Thu Dec 25 07:30:00 2008", "+3", "millis"))
    | fields new_time
    | limit 100
  • Without a time zone or time unit configured:

    Returns a maximum of 100 xdr_data records, which includes a timestamp field called new_time in the format MMM dd YYYY HH:mm:ss, such as Dec 25th 2008 04:30:00. This new_time field is comprised by taking a character string representation of a timestamp "Thu Dec 25 07:30:00 2008" and adding to it a UTC time zone format (default when none configured). This string timestamp is then converted to a Unix epoch TIMESTAMP object in seconds (default when none configured) using the parse_epoch function, and this resulting value is converted to the final timestamp using the to_timestamp function.

    dataset = xdr_data
    | alter new_time = to_timestamp(parse_epoch("%c", "Thu Dec 25 07:30:00 2008"))
    | fields new_time
    | limit 100