parse_timestamp - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference
Product
Cortex XDR
Creation date
2024-02-26
Last date published
2024-04-16
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language parse_timestamp() function that returns a TIMESTAMP object.

Syntax

parse_timestamp("<time string>", format_string("<format string>", <field_1>, <field_2>,...<field_n> ))
parse_timestamp("<time string>", format_string("<format string>", <field_1>, <field_2>,...<field_n> ), "<time zone>")

Description

The parse_timestamp() function returns a TIMESTAMP object after converting a string representation of a timestamp. The <time zone> offset is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". The parse_timestamp() function should include both an Alter stage and format_string function. For more information, see the examples below. The format_string function contains the format elements that define how the parse_timestamp string is formatted. Each element in the parse_timestamp string must have a corresponding element in format_string. The location of each element in the format_string must match the location of each element in parse_timestamp.

Examples

  • Without a time zone configured

    Returns a maximum of 100 microsoft_dhcp_raw records, which includes a TIMESTAMP object in the p_t_test field in the format MMM dd YYYY HH:mm:ss, such as Jun 25th 2021 18:31:25. This format is detailed in the format_string function, which includes merging both the date and time fields.

    dataset = microsoft_dhcp_raw 
| alter p_t_test = parse_timestamp("%m/%d/%Y %H:%M:%S", format_string("%s %s", date, time)) 
| fields p_t_test 
| limit 100

  • With a time zone name configured

    Returns a maximum of 100 microsoft_dhcp_raw records, which includes a TIMESTAMP object in the p_t_test field in the format MMM dd YYYY HH:mm:ss, such as Jun 25th 2021 18:31:25. This format is detailed in the format_string function, which includes merging both the date and time fields, and includes a "Asia/Singapore" time zone.

    dataset = microsoft_dhcp_raw 
| alter p_t_test = parse_timestamp("%m/%d/%Y %H:%M:%S", format_string("%s %s", date, time), "Asia/Singapore") 
| fields p_t_test 
| limit 100

  • With a time zone configured using an hours offset

    Returns a maximum of 100 microsoft_dhcp_raw records, which includes a TIMESTAMP object in the p_t_test field in the format MMM dd YYYY HH:mm:ss, such as Jun 25th 2021 18:31:25. This format is detailed in the format_string function, which includes merging both the date and time fields, and includes a time zone using an hours offset of “+08:00”.

    dataset = microsoft_dhcp_raw 
| alter p_t_test = parse_timestamp("%m/%d/%Y %H:%M:%S", format_string("%s %s", date, time), “+08:00”) 
| fields p_t_test 
| limit 100