extract_time - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2024-07-16
Last date published
2024-11-25
Category
Reference Guide
Retire_Doc
Retiring
Link_to_new_Doc
/r/Cortex-XDR/Cortex-XDR-Documentation/Cortex-XDR-XQL
Abstract

Learn more about the Cortex Query Language extract_time() function that returns a specified portion of a timestamp.

Syntax

extract_time (<timestamp>, <part>)

Description

The extract_time() function returns a specified part of a timestamp. The part parameter must be one of the following keywords:

  • DAY

  • DAYOFWEEK

  • DAYOFYEAR

  • HOUR

  • MICROSECOND

  • MILLISECOND

  • MINUTE

  • MONTH

  • QUARTER

  • SECOND

  • YEAR

Example

dataset = xdr_data 
| alter timepart = extract_time(current_time(), "HOUR") 
| fields timepart 
| limit 1