parse_timestamp - Learn more about the Cortex Query Language parse_timestamp() function that returns a TIMESTAMP object. - Administrator Guide - Cortex XDR - Cortex

parse_timestamp - Learn more about the Cortex Query Language parse_timestamp() function that returns a TIMESTAMP object. - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR Documentation

Product

Cortex XDR

License

Prevent

Pro

Creation date

2024-03-06

Last date published

2025-05-14

Syntax

parse_timestamp("<format time string>", "<time string>" | format_string(<time field>) | <time string field>)

parse_timestamp("<format time string>", "<time string>" | format_string(<time field>) | <time string field>, "<time zone>")

Description

The parse_timestamp() function returns a TIMESTAMP object after converting a string representation of a timestamp. The <time zone> offset is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". The parse_timestamp() function can include both an alter stage and format_string function. For more information, see the examples below. The format_string function contains the format elements that define how the parse_timestamp string is formatted. Each element in the parse_timestamp string must have a corresponding element in format_string. The location of each element in the format_string must match the location of each element in parse_timestamp.

Examples

Without a time zone configured
Returns a maximum of 100 microsoft_dhcp_raw records, which includes a TIMESTAMP object in the p_t_test field in the format MMM dd YYYY HH:mm:ss, such as Jun 25th 2021 18:31:25. This format is detailed in the format_string function, which includes merging both the date and time fields.
```
dataset = microsoft_dhcp_raw 
| alter p_t_test = parse_timestamp("%m/%d/%Y %H:%M:%S", format_string("%s %s", date, time)) 
| fields p_t_test 
| limit 100
```
With a time zone name configured
Returns a maximum of 100 microsoft_dhcp_raw records, which includes a TIMESTAMP object in the p_t_test field in the format MMM dd YYYY HH:mm:ss, such as Jun 25th 2021 18:31:25. This format is detailed in the format_string function, which includes merging both the date and time fields, and includes a "Asia/Singapore" time zone.
```
dataset = microsoft_dhcp_raw 
| alter p_t_test = parse_timestamp("%m/%d/%Y %H:%M:%S", format_string("%s %s", date, time), "Asia/Singapore") 
| fields p_t_test 
| limit 100
```
With a time zone configured using an hours offset
Returns a maximum of 100 microsoft_dhcp_raw records, which includes a TIMESTAMP object in the p_t_test field in the format MMM dd YYYY HH:mm:ss, such as Jun 25th 2021 18:31:25. This format is detailed in the format_string function, which includes merging both the date and time fields, and includes a time zone using an hours offset of “+08:00”.
```
dataset = microsoft_dhcp_raw 
| alter p_t_test = parse_timestamp("%m/%d/%Y %H:%M:%S", format_string("%s %s", date, time), "+08:00") 
| fields p_t_test 
| limit 100
```
Convert a time string that contains milliseconds
Returns a single xdr_data record, which includes both, a manually added time string, "Jun 25 2024 18:31:25.723", in the time_string field and a TIMESTAMP object in the p_t_test field, such as Jun 25 2024 18:31:25, as the result of the parse_timestamp() function. Notice that the format element %E*S is used to capture seconds including any level of factional precision, such as milliseconds.
```
dataset = xdr_data  
| limit 1
| alter time_string = "Jun 25 2024 18:31:25.723"
| alter p_t_test = parse_timestamp("%h %d %Y %H:%M:%E3S", time_string) 
| fields p_t_test, time_string  
```