format_timestamp - Learn more about the Cortex Query Language format_timestamp() function that returns a string after formatting a timestamp according to a specified string format. - Administrator Guide - Cortex XSIAM - Cortex

format_timestamp - Learn more about the Cortex Query Language format_timestamp() function that returns a string after formatting a timestamp according to a specified string format. - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product

Cortex XSIAM

Creation date

2024-03-06

Last date published

2025-11-14

Syntax

format_timestamp("<format string>", <timestamp field>)

format_timestamp("<format string>", <timestamp field>, "<time zone>")

Description

The format_timestamp() function returns a string after formatting a timestamp according to a specified string format. The <time zone> is optional to configure using an hours offset, such as “+08:00”, or using a time zone name from the List of Supported Time Zones, such as "America/Chicago". The format_timestamp() function should include an alter stage. For more information, see the examples below.

Examples

Without a time zone configured
Returns a maximum of 100 xdr_data records, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 12:10:30. This format is detailed in the format_timestamp function, which defines retrieving the new_time (%Y/%m/%d %H:%M:%S) from the _time field.
```
dataset = xdr_data
| alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time) 
| fields new_time 
| limit 100
```
With a time zone configured using an hours offset
Returns a maximum of 100 xdr_data records, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 01:53:35. This format is detailed in the format_timestamp function, which defines the retrieving the new_time (%Y/%m/%d %H:%M:%S) from the _time field and adding +03:00 hours as the time zone format.
```
dataset = xdr_data  
| alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time, "+03:00") 
| fields new_time 
| limit 100
```
With a time zone name configured
Returns a maximum of 100 xdr_data records, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 01:53:35. This format is detailed in the format_timestamp function, which defines the retrieving the new_time (%Y/%m/%d %H:%M:%S) from the _time field, and includes an "America/Chicago" time zone.
```
dataset = xdr_data 
| fields _time
| alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time, "America/Chicago")
| fields new_time
| limit 100
```