Learn more about the Cortex Query Language parse_epoch()
function that returns a Unix epoch TIMESTAMP object.
Syntax
parse_epoch("<format string>", <timestamp field>[, "<time zone>",] ["<time unit>"])
Description
The parse_epoch()
function returns a Unix epoch TIMESTAMP object after converting a string representation of a timestamp. The <time zone>
offset is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". When you do not configure a timezone, the default is UTC
. The <time unit>
is optional to configure and indicates whether the Unix epoch integer value represents seconds, milliseconds, or microseconds. These values are supported, and the default is used when none is configured:
SECONDS (default)
MILLIS
MICROS
Important
The order of the <time zone>
and <time unit>
matters. The <time zone>
must be defined first followed by the <time unit>
. If the <time zone>
is set after the <time unit>
, the default time zone is used and the configured value is ignored.
Examples
With a time zone configured:
Returns a maximum of 100
xdr_data
records, which includes a timestamp field callednew_time
in the formatMMM dd YYYY HH:mm:ss
, such asDec 25th 2008 04:30:00
. Thisnew_time
field is comprised by taking a character string representation of a timestamp "Thu Dec 25 07:30:00 2008" and adding to it +03:00 hours as the time zone format. This string timestamp is then converted to a Unix epoch TIMESTAMP object in milliseconds using theparse_epoch
function, and this resulting value is converted to the final timestamp using the to_timestamp function.dataset = xdr_data | alter new_time = to_timestamp(parse_epoch("%c", "Thu Dec 25 07:30:00 2008", "+3", "millis")) | fields new_time | limit 100
Without a time zone or time unit configured:
Returns a maximum of 100
xdr_data
records, which includes a timestamp field callednew_time
in the formatMMM dd YYYY HH:mm:ss
, such asDec 25th 2008 04:30:00
. Thisnew_time
field is comprised by taking a character string representation of a timestamp "Thu Dec 25 07:30:00 2008" and adding to it a UTC time zone format (default when none configured). This string timestamp is then converted to a Unix epoch TIMESTAMP object in seconds (default when none configured) using theparse_epoch
function, and this resulting value is converted to the final timestamp using the to_timestamp function.dataset = xdr_data | alter new_time = to_timestamp(parse_epoch("%c", "Thu Dec 25 07:30:00 2008")) | fields new_time | limit 100