Learn more about the Cortex Query Language format_timestamp() function that returns a string after formatting a timestamp according to a specified string format.
Syntax
format_timestamp("<format string>", <timestamp field>)format_timestamp("<format string>", <timestamp field>, "<time zone>")Description
The format_timestamp() function returns a string after formatting a timestamp according to a specified string format. The <time zone> is optional to configure. The format_timestamp() function should include an alter stage. For more information, see the examples below.
Examples
Without a time zone configured
Returns a maximum of 100
xdr_datarecords, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 12:10:30. This format is detailed in theformat_timestampfunction, which defines retrieving the new_time (%Y/%m/%d %H:%M:%S) from the_timefield.dataset = xdr_data | alter new_time = format_timestamp("%Y/%m/%d %H:%M:%S", _time) | fields new_time | limit 100With a time zone configured
Returns a maximum of 100
xdr_datarecords, which includes a string field called new_time in the format YYYY/MM/dd HH:mm:ss, such as 2021/11/12 01:53:35. This format is detailed in theformat_timestampfunction, which defines the retrieving the new_time (%Y/%m/%d %H:%M:%S) from the_timefield and adding +03:00 hours as the time zone format.dataset = xdr_data | alter hour = format_timestamp("%Y/%m/%d %H:%M:%S", _time, "+03:00") | fields hour | limit 100