Skip to main content
Version: 5.2

Time Operations

now

Returns the current date and time in Unix Timestamp format.

In this example, the field res might have the value 1710752009.

Example #1
... | eval res=now()

relative_time

Description: Takes a Unix timestamp and a relative offset parameter. Returns a new time in Unix Timestamp format.

Supported format: (+|-)<int>@(s|m|h|d|w|M)

  • s — seconds
  • m — minutes
  • h — hours
  • d — days
  • w — weeks
  • M — months

Default: seconds

In this example, res will have the value now() minus 1 day.

Example #1
... | eval res=relative_time(now(), -1@d)

In this example, res will have the value now() plus 3600 seconds.

Example #2
... | eval res=relative_time(now(), 3600)

strftime

Description: Takes a Unix timestamp and a format string to return the formatted date/time.

info

The function uses Joda Time format. Details in the documentation

In this example, starttime will have the value 2018-3-19T13:55:03.

Example #1
... | eval StartTimestamp=1521467703049000000, starttime=strftime(StartTimestamp/pow(10,9),"Y-M-d'T'H:mm:ss")

Example using peval:

Example №2
... | peval StartTimestamp=1521467703, starttime=strftime(StartTimestamp, "yyyy-M-d'T'HH:mm:ss")

strptime

Description: Takes a date/time and a format string. Returns a UNIX timestamp.

info

The function uses Joda Time format. Details in the documentation

In this example, starttime will have the value 1589892240.

Example №1
... | eval starttime=strptime("2020-05-19 12:44","Y-M-d HH:mm")
warning

The eval and peval commands use different template syntax. peval uses the SimpleDateTime template syntax, while eval uses Joda Time. The Joda Time format is largely compatible with SimpleDateFormat, but there are differences in specifying the time zone. For example, to parse the date 2000-01-01T12:30:00.000+0100, the eval command can use the pattern YYYY-MM-dd'T'HH:mm:ss.SSZ, whereas the peval command uses ISO 8601: yyyy-MM-dd'T'HH:mm:ss.SSSXXX.

In the example, the created field is equal to 2020-05-19T12:44:00.123Z. As a result, res will take the value 1589892240, and res11589892240.123.

Example №2
... | peval res=strptime(tostring(created), "yyyy-MM-dd'T'HH:mm:ss.SSSX") | eval res1=strptime(created,"YYYY-MM-dd'T'HH:mm:ss.SSS'Z'")

time

Description: Returns the current date and time in Unix Timestamp format.

Example:

Example #1
... | eval res=time()