# Date/time Functions

{% hint style="info" %}
PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.
{% endhint %}

## `time.add()`

`time.add(timestamp: timestamp, value: int, unit: string) -> timestamp`

Return `timestamp` added to a timespan created by combining `value` with a time `unit`, such as `"hour"`. `value` can be a column which allows for more expressive timestamp arithmetic than directly adding timespan constants. Subtraction can be achieved by providing a negative `value`. `unit` can be:

* `year`, `y`
* `month`
* `day`, `d`
* `hour`, `h`
* `minute`, `m`
* `second`, `s`

More values may be accepted, but are not guaranteed to be supported in future releases.

**Example:**

```kusto
let timebins =
range N from 1 to 10 step 1
| project t1=time.add(time.now(), N, 'day')
```

## `time.ago()`

`time.ago(span: timespan) -> timestamp`

Returns the timestamp that is `span` ago.

**Example:**

```kusto
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
```

## `time.diff()`

`time.diff(unit: string, timestamp1: timestamp, timestamp2: timestamp) -> int`

Calculates the difference between two timestamps based on the date or time unit requested. The function returns the result of subtracting timestamp1 from timestamp2 (i.e. timestamp2 - timestamp1). `unit` can be:

* `year`, `y`
* `month`
* `day`, `d`
* `hour`, `h`
* `minute`, `m`
* `second`, `s`

More values may be accepted, but are not guaranteed to be supported in future releases.

**Example:**

```kusto
panther_logs.public.aws_alb
| extend hoursToParse=time.diff('h', p_event_time, p_parse_time)
| extend minutesToParse=time.diff('m', p_event_time, p_parse_time)
| project hoursToParse, minutesToParse
```

## `time.now()`

`time.now() -> timestamp`

Returns the current timestamp.

**Example:**

```kusto
panther_logs.public.aws_alb
| where p_event_time > time.now() - 1d
```

## `time.parse_timespan()`

`time.parse_timespan(str: string) -> timespan`

Returns the timespan representation of the duration string.

**Example:**

```kusto
panther_logs.public.aws_alb
| where p_event_time > time.now() - time.parse_timespan('24h')
```

## `time.parse_timestamp()`

`time.parse_timestamp(str: string) -> timestamp`

Returns the timestamp representation of the timestamp string.

**Example:**

```kusto
panther_logs.public.aws_alb
| where p_event_time > time.parse_timestamp('2023-01-01T00:00:00')
```

## `time.slice()`

`time.slice(time: timestamp, slice_length: int, slice_unit: string) -> timestamp`

Returns the timestamp that `time` resides in, given chunks of `slice_unit` and `slice_length`. For example, if `slice_length` is 1 and `slice_unit` is "hour", the time is truncated to the hour it belongs to. Slices are calculated relative to midnight January 1, 1970. `slice_unit` can be:

* `year`, `y`
* `month`
* `day`, `d`
* `hour`, `h`
* `minute`, `m`
* `second`, `s`

More values may be accepted, but are not guaranteed to be supported in future releases.

**Example:**

```kusto
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| summarize count=agg.count() by bucket=time.slice(p_event_time, 10, 'm')
| sort bucket asc
| visualize
```

## `time.trunc()`

`time.trunc(unit: string, timestamp: timestamp) -> timestamp`

Returns the timestamp truncated to the specified unit. `unit` can be:

* `year`, `y`
* `month`
* `day`, `d`
* `hour`, `h`
* `minute`, `m`
* `second`, `s`

More values may be accepted, but are not guaranteed to be supported in future releases.

**Example:**

```kusto
panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| extend minuteEventHappened=time.trunc('m', p_event_time)
| summarize eventsPerMinute=agg.count() by minuteEventHappened
```