Learn more about the Cortex Query Language to_epoch()
function that converts a timestamp value for a field or function to the Unix epoch timestamp format.
Syntax
to_epoch (<timestamp>, <time unit>)
Description
The to_epoch()
function converts a timestamp value for a particular field or function to the Unix epoch timestamp format. This function requires a <time unit>
value, which indicates whether the integer value for the Unix epoch timestamp format represents seconds (default), milliseconds, or microseconds. If no <time unit>
is configured, the default is used. Supported values are:
SECONDS
MILLIS
MICROS
Example
Returns a maximum of 100 xdr_data
records with the events of the _time
field, which includes a timestamp field in the Unix epoch format called ts
. The ts field contains the equivalent Unix epoch values in milliseconds for the timestamps listed in the _time
field.
dataset = xdr_data | filter _time != null | alter ts = to_epoch(_time, "MILLIS") | fields ts | limit 100