to_epoch - Reference Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR XQL Language Reference

Product
Cortex XDR
Creation date
2023-10-31
Last date published
2024-03-27
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language to_epoch() function that converts a timestamp value for a field or function to the Unix epoch timestamp format.

Syntax

to_epoch (<timestamp>, <time unit>)

Description

The to_epoch() function converts a timestamp value for a particular field or function to the Unix epoch timestamp format. This function requires a <time unit> value, which indicates whether the integer value for the Unix epoch timestamp format represents seconds (default), milliseconds, or microseconds. If no <time unit> is configured, the default is used. Supported values are:

  • SECONDS

  • MILLIS

  • MICROS

Example

Returns a maximum of 100 xdr_data records with the events of the _time field, which includes a timestamp field in the Unix epoch format called ts. The ts field contains the equivalent Unix epoch values in milliseconds for the timestamps listed in the _time field.

dataset = xdr_data
| filter _time != null
| alter ts = to_epoch(_time, "MILLIS")
| fields ts
| limit 100