Time Operations
now
Returns the current date and time in Unix Timestamp format.
In this example, the field res might have the value 1710752009.
... | eval res=now()
relative_time
Description: Takes a Unix timestamp and a relative offset parameter. Returns a new time in Unix Timestamp format.
Supported format: (+|-)<int>@(s|m|h|d|w|M)
- s — seconds
- m — minutes
- h — hours
- d — days
- w — weeks
- M — months
Default: seconds
In this example, res will have the value now() minus 1 day.
... | eval res=relative_time(now(), -1@d)
In this example, res will have the value now() plus 3600 seconds.
... | eval res=relative_time(now(), 3600)
strftime
Description: Takes a Unix timestamp and a format string to return the formatted date/time.
The function uses Joda Time format. Details in the documentation
In this example, starttime will have the value 2018-3-19T13:55:03.
... | eval StartTimestamp=1521467703049000000, starttime=strftime(StartTimestamp/pow(10,9),"Y-M-d'T'H:mm:ss")
Example using peval:
... | peval StartTimestamp=1521467703, starttime=strftime(StartTimestamp, "yyyy-M-d'T'HH:mm:ss")
strptime
Description: Takes a date/time and a format string. Returns a UNIX timestamp.
The function uses Joda Time format. Details in the documentation
In this example, starttime will have the value 1589892240.
... | eval starttime=strptime("2020-05-19 12:44","Y-M-d HH:mm")
The eval and peval commands use different template syntax. peval uses the SimpleDateTime template syntax, while eval uses Joda Time. The Joda Time format is largely compatible with SimpleDateFormat, but there are differences in specifying the time zone. For example, to parse the date 2000-01-01T12:30:00.000+0100, the eval command can use the pattern YYYY-MM-dd'T'HH:mm:ss.SSZ, whereas the peval command uses ISO 8601: yyyy-MM-dd'T'HH:mm:ss.SSSXXX.
In the example, the created field is equal to 2020-05-19T12:44:00.123Z. As a result, res will take the value 1589892240, and res1 — 1589892240.123.
... | peval res=strptime(tostring(created), "yyyy-MM-dd'T'HH:mm:ss.SSSX") | eval res1=strptime(created,"YYYY-MM-dd'T'HH:mm:ss.SSS'Z'")
time
Description: Returns the current date and time in Unix Timestamp format.
Example:
... | eval res=time()
to_timezone
Description: Accepts Unix time and a timezone name/offset as input. Returns Unix time converted to the specified timezone. The timezone name can be omitted; in that case, the input Unix time will be converted to the local timezone.
The following timezone names are not supported as their designations are obsolete: MST, Factory, ROC, HST, EST.
... | eval res = to_timezone(1769072333, "Europe/Paris")
In this example, the res field will take the value 1769075933, which is due to accounting for the UTC+01:00 offset of the specified timezone.
... | eval res = to_timezone(1769072333, "UTC+02:00")
In this example, the res field will take the value 1769079533.
... | eval res = to_timezone(1769072333)
In this example, the res field will take the value 1769083133. This is because the calculation is performed for the Moscow timezone.
from_timezone
Description: Accepts Unix time and a timezone name/offset as input. Returns Unix time converted from the timezone to UTC.
The following timezone names are not supported as their designations are obsolete: MST, Factory, ROC, HST, EST.
... | eval res = from_timezone(1769072333, "Europe/Paris")
In this example, the res field will take the value 1769068733, since the specified timezone has a positive offset of +1 hour relative to UTC (UTC+01:00).