format_timestamp - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-07
Category
Administrator Guide
Abstract

Learn more about the Cortex Query Language format_timestamp() function that returns a string after formatting a timestamp according to a specified string format.

Syntax
format_timestamp("<format string>", <timestamp field>)
format_timestamp("<format string>", <timestamp field>, "<time zone>")
Description

The format_timestamp() function returns a string after formatting a timestamp according to a specified string format. The <time zone> is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". The format_timestamp() function should include an alter stage. For more information, see the examples below.

Examples

  • Without a time zone configured

    Returns a maximum of 100 xdr_data records, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 12:10:30. This format is detailed in the format_timestamp function, which defines retrieving the new_time (%Y/%m/%d %H:%M:%S) from the _time field.

    dataset = xdr_data
    | alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time) 
    | fields new_time 
    | limit 100
    
  • With a time zone configured using an hours offset

    Returns a maximum of 100 xdr_data records, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 01:53:35. This format is detailed in the format_timestamp function, which defines the retrieving the new_time (%Y/%m/%d %H:%M:%S) from the _time field and adding +03:00 hours as the time zone format.

    dataset = xdr_data  
    | alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time, "+03:00") 
    | fields new_time 
    | limit 100
    
  • With a time zone name configured

    Returns a maximum of 100 xdr_data records, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 01:53:35. This format is detailed in the format_timestamp function, which defines the retrieving the new_time (%Y/%m/%d %H:%M:%S) from the _time field, and includes an "America/Chicago" time zone.

    dataset = xdr_data 
    | fields _time
    | alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time, "America/Chicago")
    | fields new_time
    | limit 100