extract_time - Reference Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM XQL Language Reference
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language extract_time() function that returns a specified portion of a timestamp.

Syntax

extract_time (<timestamp>, <part>)

Description

The extract_time() function returns a specified part of a timestamp. The part parameter must be one of the following keywords:

  • DAY

  • DAYOFWEEK

  • DAYOFYEAR

  • HOUR

  • MICROSECOND

  • MILLISECOND

  • MINUTE

  • MONTH

  • QUARTER

  • SECOND

  • YEAR

Example

dataset = xdr_data 
| alter timepart = extract_time(current_time(), "HOUR") 
| fields timepart 
| limit 1