Knowledge BaseRelease NotesRequest Demo

Date/time Functions

PantherFlow date/time functions

PantherFlow is in open beta starting with Panther version 1.110, and is available to all customers. Please share any bug reports and feature requests with your Panther support team.

time.add()

time.add(timestamp: timestamp, value: int, unit: string) -> timestamp

Return timestamp added to a timespan created by combining value with a time unit, such as "hour". value can be a column which allows for more expressive timestamp arithmetic than directly adding timespan constants. Subtraction can be achieved by providing a negative value. unit can be:

  • year, y

  • month

  • day, d

  • hour, h

  • minute, m

  • second, s

More values may be accepted, but are not guaranteed to be supported in future releases.

Example:

let timebins =
range N from 1 to 10 step 1
| project t1=time.add(time.now(), N, 'day')

time.ago()

time.ago(span: timespan) -> timestamp

Returns the timestamp that is span ago.

Example:

panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)

time.diff()

time.diff(unit: string, timestamp1: timestamp, timestamp2: timestamp) -> int

Calculates the difference between two timestamps based on the date or time unit requested. The function returns the result of subtracting timestamp1 from timestamp2 (i.e. timestamp2 - timestamp1). unit can be:

  • year, y

  • month

  • day, d

  • hour, h

  • minute, m

  • second, s

More values may be accepted, but are not guaranteed to be supported in future releases.

Example:

panther_logs.public.aws_alb
| extend hoursToParse=time.diff('h', p_event_time, p_parse_time)
| extend minutesToParse=time.diff('m', p_event_time, p_parse_time)
| project hoursToParse, minutesToParse

time.now()

time.now() -> timestamp

Returns the current timestamp.

Example:

panther_logs.public.aws_alb
| where p_event_time > time.now() - 1d

time.parse_timespan()

time.parse_timespan(str: string) -> timespan

Returns the timespan representation of the duration string.

Example:

panther_logs.public.aws_alb
| where p_event_time > time.now() - time.parse_timespan('24h')

time.parse_timestamp()

time.parse_timestamp(str: string) -> timestamp

Returns the timestamp representation of the timestamp string.

Example:

panther_logs.public.aws_alb
| where p_event_time > time.parse_timestamp('2023-01-01T00:00:00')

time.slice()

time.slice(time: timestamp, slice_length: int, slice_unit: string) -> timestamp

Returns the timestamp that time resides in, given chunks of slice_unit and slice_length. For example, if slice_length is 1 and slice_unit is "hour", the time is truncated to the hour it belongs to. Slices are calculated relative to midnight January 1, 1970. slice_unit can be:

  • year, y

  • month

  • day, d

  • hour, h

  • minute, m

  • second, s

More values may be accepted, but are not guaranteed to be supported in future releases.

Example:

panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| summarize count=agg.count() by bucket=time.slice(p_event_time, 10, 'm')
| sort bucket asc
| visualize

time.trunc()

time.trunc(unit: string, timestamp: timestamp) -> timestamp

Returns the timestamp truncated to the specified unit. unit can be:

  • year, y

  • month

  • day, d

  • hour, h

  • minute, m

  • second, s

More values may be accepted, but are not guaranteed to be supported in future releases.

Example:

panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)
| extend minuteEventHappened=time.trunc('m', p_event_time)
| summarize eventsPerMinute=agg.count() by minuteEventHappened
PreviousAggregation FunctionsNextString Functions

Last updated

Was this helpful?