https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-xql-parse-timestamp/m-p/554333#M4993 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307702">@unlucky</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>I think the function you are looking for is format_timestamp in place of format_string because your data is already in timestamp format.</P> <P>Lets understand the definition of these 3 functions.</P> <P><SPAN class="hljs-built_in">parse_timestamp</SPAN><SPAN>() -&gt;&nbsp;The&nbsp;<CODE class="computeroutput hljs language-scss"><SPAN class="hljs-built_in">parse_timestamp</SPAN>()</CODE>&nbsp;function returns a TIMESTAMP object after converting a string representation of a timestamp.</SPAN></P> <P><SPAN><SPAN class="hljs-built_in">format_timestamp</SPAN>() -&gt;&nbsp;The&nbsp;<CODE class="computeroutput hljs language-scss"><SPAN class="hljs-built_in">format_timestamp</SPAN>()</CODE>&nbsp;function returns a string after formatting a timestamp according to a specified string format.</SPAN></P> <P><SPAN><SPAN class="hljs-built_in"><SPAN class="proto-highlight">format_string</SPAN></SPAN>() -&gt;&nbsp;The&nbsp;<CODE class="computeroutput hljs language-scss"><SPAN class="hljs-built_in"><SPAN class="proto-highlight">format_string</SPAN></SPAN>()</CODE>&nbsp;function returns a string from a format string that contains zero or more format specifiers, along with a variable length list of additional arguments that matches the format specifiers.&nbsp;</SPAN></P> <P><SPAN>Since the string you are trying to convert is already a timestamp hence please use format_timestamp function which will take a timestamp and return a string to parse_timestamp function to convert it to a timestamp of your choice. I have tried below line and its working for me.</SPAN></P> <P><SPAN>alter time_test = parse_timestamp("%Y/%m/%d %H:%M:%S", format_timestamp("%Y/%m/%d %H:%M:%S", _time))</SPAN></P> <P>&nbsp;</P> <P><SPAN>Below are the reference link for above functions.</SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/parse_timestamp" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/parse_timestamp</A></SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_timestamp" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_timestamp</A></SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_string" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_string</A></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 18 Aug 2023 16:22:32 GMT nsinghvirk 2023-08-18T16:22:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-xql-parse-timestamp/m-p/554191#M4990 <P>I am trying to <STRONG>convert a string to a timestamp object</STRONG> and cannot understand how the parse_timestamp function works.<BR /><BR /></P> <P>My string is as follow :&nbsp;</P> <DIV> <DIV><EM>"2023-08-17T17:40:38.000246+0300"</EM></DIV> <DIV>&nbsp;</DIV> <DIV>My XQL query is as follow :</DIV> <DIV><EM>alter</EM></DIV> <DIV><EM>timestamp = parse_timestamp("%Y-%m-%dT%H:%M:%S", format_string("%s", &lt;field containing the timestamp string&gt;))</EM></DIV> <DIV>&nbsp;</DIV> <DIV>This is clearly not the right way to use this function, but I cannot find any clear example showing how the function works...<BR /><STRONG>Does anybody have a working example and can show their input and output ?</STRONG></DIV> <DIV>&nbsp;</DIV> <DIV>The <A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/parse_timestamp" target="_blank" rel="noopener">documentation</A>&nbsp;is not helpful</DIV> </DIV> Thu, 17 Aug 2023 15:38:38 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-xql-parse-timestamp/m-p/554191#M4990 unlucky 2023-08-17T15:38:38Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-xql-parse-timestamp/m-p/554333#M4993 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/307702">@unlucky</a>&nbsp;,</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>I think the function you are looking for is format_timestamp in place of format_string because your data is already in timestamp format.</P> <P>Lets understand the definition of these 3 functions.</P> <P><SPAN class="hljs-built_in">parse_timestamp</SPAN><SPAN>() -&gt;&nbsp;The&nbsp;<CODE class="computeroutput hljs language-scss"><SPAN class="hljs-built_in">parse_timestamp</SPAN>()</CODE>&nbsp;function returns a TIMESTAMP object after converting a string representation of a timestamp.</SPAN></P> <P><SPAN><SPAN class="hljs-built_in">format_timestamp</SPAN>() -&gt;&nbsp;The&nbsp;<CODE class="computeroutput hljs language-scss"><SPAN class="hljs-built_in">format_timestamp</SPAN>()</CODE>&nbsp;function returns a string after formatting a timestamp according to a specified string format.</SPAN></P> <P><SPAN><SPAN class="hljs-built_in"><SPAN class="proto-highlight">format_string</SPAN></SPAN>() -&gt;&nbsp;The&nbsp;<CODE class="computeroutput hljs language-scss"><SPAN class="hljs-built_in"><SPAN class="proto-highlight">format_string</SPAN></SPAN>()</CODE>&nbsp;function returns a string from a format string that contains zero or more format specifiers, along with a variable length list of additional arguments that matches the format specifiers.&nbsp;</SPAN></P> <P><SPAN>Since the string you are trying to convert is already a timestamp hence please use format_timestamp function which will take a timestamp and return a string to parse_timestamp function to convert it to a timestamp of your choice. I have tried below line and its working for me.</SPAN></P> <P><SPAN>alter time_test = parse_timestamp("%Y/%m/%d %H:%M:%S", format_timestamp("%Y/%m/%d %H:%M:%S", _time))</SPAN></P> <P>&nbsp;</P> <P><SPAN>Below are the reference link for above functions.</SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/parse_timestamp" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/parse_timestamp</A></SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_timestamp" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_timestamp</A></SPAN></P> <P><SPAN><A href="https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_string" target="_blank">https://docs-cortex.paloaltonetworks.com/r/Cortex-XDR/Cortex-XDR-XQL-Language-Reference/format_string</A></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 18 Aug 2023 16:22:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-xql-parse-timestamp/m-p/554333#M4993 nsinghvirk 2023-08-18T16:22:32Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-xql-parse-timestamp/m-p/554337#M4994 <P><EM><SPAN class="xql-error-title">Error</SPAN><SPAN class="xql-error-details" title="Field timestamp for function format_timestamp is invalid. Expected date but received string.">Field timestamp for function format_timestamp is invalid. Expected date but received string.</SPAN></EM></P> <P>&nbsp;</P> <P><SPAN class="xql-error-details" title="Field timestamp for function format_timestamp is invalid. Expected date but received string.">As I was saying, even though my string contains a timestamp, it is still a string!</SPAN></P> <P><SPAN class="xql-error-details" title="Field timestamp for function format_timestamp is invalid. Expected date but received string.">Maybe there is something I am not understanding here, but what I am trying to achieve is to convert this string to a date type.</SPAN></P> Fri, 18 Aug 2023 17:15:39 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/how-to-use-xql-parse-timestamp/m-p/554337#M4994 unlucky 2023-08-18T17:15:39Z