timestamp_diff - Reference Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM XQL Language Reference
Product
Cortex XSIAM
Creation date
2024-02-26
Last date published
2024-04-21
Category
Reference Guide
Abstract

Learn more about the Cortex Query Language timestamp_diff() function that returns the difference between two timestamp objects.

Syntax

timestamp_diff (<timestamp1>, <timestamp2>, <part>)

Description

The timestamp_diff() function returns the difference between two timestamp objects. The units used to express the difference is identified by the part parameter. The second timestamp is subtracted from the first timestamp. If the first timestamp is greater than the second, a positive value is returned. If the result of this function is between 0 and 1, 0 is returned.

Supported parts are:

  • DAY

  • HOUR

  • MINUTE

  • SECOND

  • MILLISECOND

  • MICROSECOND

Example

dataset = xdr_data 
| filter story_publish_timestamp != null 
| alter ts = to_timestamp(story_publish_timestamp, "MILLIS") 
| alter ct = current_time() 
| alter diff = timestamp_diff(ct, ts, "MINUTE") 
| fields ts, ct, diff 
| limit 1