Date/time Functions

time.ago()

time.ago(span: timespan) -> timestamp

Returns the timestamp that is span ago.

Example:

panther_logs.public.aws_alb
| where p_event_time > time.ago(1d)

time.diff()

time.diff(unit: string, timestamp1: timestamp, timestamp2: timestamp) -> int

Calculates the difference between two timestamps based on the date or time unit requested. The function returns the result of subtracting timestamp1 from timestamp2 (i.e. timestamp2 - timestamp1). unit can be:

• year, y

• month

• day, d

• hour, h

• minute, m

• second, s

More values may be accepted, but are not guaranteed to be supported in future releases.

Example:

time.now()

time.now() -> timestamp

Returns the current timestamp.

Example:

time.parse_timespan()

time.parse_timespan(str: string) -> timespan

Returns the timespan representation of the duration string.

Example:

time.parse_timestamp()

time.parse_timestamp(str: string) -> timestamp

Returns the timestamp representation of the timestamp string.

Example:

time.slice()

time.slice(time: timestamp, slice_length: int, slice_unit: string) -> timestamp

Returns the timestamp that time resides in, given chunks of slice_unit and slice_length. For example, if slice_length is 1 and slice_unit is "hour", the time is truncated to the hour it belongs to. Slices are calculated relative to midnight January 1, 1970. slice_unit can be:

• year, y

• month

• day, d

• hour, h

• minute, m

• second, s

More values may be accepted, but are not guaranteed to be supported in future releases.

Example:

time.trunc()

time.trunc(unit: string, timestamp: timestamp) -> timestamp

Returns the timestamp truncated to the specified unit. unit can be:

• year, y

• month

• day, d

• hour, h

• minute, m

• second, s

More values may be accepted, but are not guaranteed to be supported in future releases.

Example: