Learn more about the Cortex Query Language time_frame_end() function that returns the end time of the time range specified for the query.
Syntax
time_frame_end(<time frame>)
Description
The time_frame_end() function returns the timestamp object for the string representation of the end of the time frame configured for the query in the format MMM dd YYYY HH:mm:ss, such as Jun 8th 2022 15:20:06. You can configure the time frame using the config timeframe function, where the range can be relative or exact.
If the time frame is relative, for example last 24H, the function returns the current_time(). This function is useful when the query uses a custom time frame whose end time is in the past.
Example 1 - Relative Time
For the last 5 days from when the query is sent, returns a maximum of 100 xdr_data records with the events of the _time field with a new field called "x". The "x" field lists the final timestamp at the end of 5 days from when the query was sent for the events in descending order. For more information on this relative timeframe range, see the config timeframe function.
config timeframe = 5d | dataset = xdr_data | alter x = time_frame_end() | fields x | sort desc x
Example 2 - Relative Time
For the last 5 days from when the query is run until now, returns a maximum of 100 xdr_data records with the events of the _time field with a new field called "x". The "x" field lists the final timestamp at the end of 5 days from when the query runs for the events in descending order. For more information on this relative time frame range, see the config timeframe function.
config timeframe = between "5d" and "now" | dataset = xdr_data | alter x = time_frame_end() | fields x | sort desc