Timestamp Functions
ESM applies timezones according to the component, shown below:
Time Zone |
Description |
---|---|
Defaut Time Zone |
The Manager time zone |
Agent Time Zone |
The time zone of the Connector which sent the event |
Original Agent Time Zone |
The time zone of the first Connector in a possible chain of connectors which sent the event |
Device Time Zone |
The time zone of the originally-reporting device |
Final Device Time Zone |
The time zone of the device which reported to the original Connector |
Caution: Discrepancies in values returned by Timestamp functions
With certain resources, you might observe some discrepancy in values returned by Timestamp functions and End Time if ArcSight Manager and ArcSight Console are in different timezones. Following are the scenarios where the discrepancy occurs:
For query viewers and data monitors, a Timestamp function (for example, GetDayOfWeek) gets the value from the Manager’s timezone, and End Time gets the value from the Console’s timezone.
For reports, End Time values and values returned by TimeStamp functions are consistent with the Manager’s timezone.
For active channels, End Time values and values returned by TimeStamp functions are consistent with the Console’s timezone.
TimeStamp Functions |
Description |
---|---|
GetCurrentTime |
Returns the current time in the format DD Mo YYYY 25 Jun 2016 14:05:18 PDT The returned time is based on the client time. |
GetDayOfMonth |
Returns an integer from 1 to 31 to represent the day of the month, based on the selected timestamp |
GetDayOfWeek |
Returns an integer from 0 to 6 (0 is Sunday) to represent the day of the week, based on the selected timestamp. The associated day of the week (for example "Sunday") is displayed on the ArcSight Console. You can test the value returned by this function using numeric operations like For example, for a variable called "day" that contains the value returned by the GetDayofWeek function, you can create an AND logical operator that checks for a weekday with these conditions:
|
GetDayOfYear |
Returns an integer from 1 to 366 to represent the day of the year, based on the selected timestamp. |
GetHour |
Returns an integer from 0 to 23 to represent the hour of the day, based on the selected timestamp. |
GetMinute |
Returns an integer from 0 to 59 to represent the minute of the hour, based on the selected timestamp. |
GetMonth |
Returns an integer from 1 to 12 to represent the month of the year, based on the selected timestamp. |
GetYear |
Returns an integer for the year based on the selected timestamp and displays it as a 4-digit integer. |
TimeDifference |
Returns the result of subtracting the second timestamp argument from the first timestamp argument, in a human-readable format. |
TimeDifferenceInDays |
Returns the result of subtracting the second timestamp argument from the first timestamp argument, in days. |
TimeDifferenceInHours |
Returns the result of subtracting the second timestamp argument from the first timestamp argument, in hours. |
TimeDifferenceInMinutes |
Returns the result of subtracting the second timestamp argument from the first timestamp argument, in minutes. |
TimeDifferenceInSeconds |
Returns the result of subtracting the second timestamp argument from the first timestamp argument, in seconds. |
Note: This function is held in memory, therefore you can only use it in Rules, Filters, and Data Monitors. You cannot use the function in resources like Queries and Reports, and other resources that rely on persisted data. |
Returns timestamp values at a granular level. This function is only available for in-memory operations like rules, data monitors, and channels; but not for reports, queries, and trends. Includes the following timestamp granularity options:
|
|
|
|
|
|
|
|
|
|
|
Note: You can test (click Calculate on the dialog for using this function in your variable) how each TimestampGranularity option calculates the value before you save the variable. The Manager’s timezone is used in calculation. |