extract_time - Learn more about the Cortex Query Language extract_time() function that returns a specified portion of a timestamp. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation
Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-04-16
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language extract_time() function that returns a specified portion of a timestamp.

Syntax
extract_time (<timestamp>, <part>)
Description

Important

The extract_time values are based on the GMT time, even if you've adjusted the Timezone or Timestamp Format server settings as these configurations only affect how to display in Cortex XSIAM. For more information on the server settings, see Configure server settings.

The extract_time() function returns a specified part of a timestamp. The part parameter must be one of the following keywords:

  • DAY

  • DAYOFWEEK

  • DAYOFYEAR

  • HOUR

  • MICROSECOND

  • MILLISECOND

  • MINUTE

  • MONTH

  • QUARTER

  • SECOND

  • YEAR

Example
dataset = xdr_data 
| alter timepart = extract_time(current_time(), "HOUR") 
| fields timepart 
| limit 1