Timestamp Functions

ESM applies timezones according to the component, shown below:

Time Zone

Description

Defaut Time Zone

The Manager time zone

Agent Time Zone

The time zone of the Connector which sent the event

Original Agent Time Zone

The time zone of the first Connector in a possible chain of connectors which sent the event

Device Time Zone

The time zone of the originally-reporting device

Final Device Time Zone

The time zone of the device which reported to the original Connector

Caution: Discrepancies in values returned by Timestamp functions

With certain resources, you might observe some discrepancy in values returned by Timestamp functions and End Time if ArcSight Manager and ArcSight Console are in different timezones. Following are the scenarios where the discrepancy occurs:

  • For query viewers and data monitors, a Timestamp function (for example, GetDayOfWeek) gets the value from the Manager’s timezone, and End Time gets the value from the Console’s timezone.

  • For reports, End Time values and values returned by TimeStamp functions are consistent with the Manager’s timezone.

  • For active channels, End Time values and values returned by TimeStamp functions are consistent with the Console’s timezone.

TimeStamp Functions

Description

GetCurrentTime

Returns the current time in the format DD Mo YYYY hh:mm:ss TIMEZONE, for example

25 Jun 2016 14:05:18 PDT

The returned time is based on the client time.

GetDayOfMonth

Returns an integer from 1 to 31 to represent the day of the month, based on the selected timestamp

GetDayOfWeek

Returns an integer from 0 to 6 (0 is Sunday) to represent the day of the week, based on the selected timestamp. The associated day of the week (for example "Sunday") is displayed on the ArcSight Console.

You can test the value returned by this function using numeric operations like > , < , >= , <= , = .

For example, for a variable called "day" that contains the value returned by the GetDayofWeek function, you can create an AND logical operator that checks for a weekday with these conditions:

  • day >= Monday

  • day <= Friday

GetDayOfYear

Returns an integer from 1 to 366 to represent the day of the year, based on the selected timestamp.

GetHour

Returns an integer from 0 to 23 to represent the hour of the day, based on the selected timestamp.

GetMinute

Returns an integer from 0 to 59 to represent the minute of the hour, based on the selected timestamp.

GetMonth

Returns an integer from 1 to 12 to represent the month of the year, based on the selected timestamp.

GetYear

Returns an integer for the year based on the selected timestamp and displays it as a 4-digit integer.

TimeDifference

Returns the result of subtracting the second timestamp argument from the first timestamp argument, in a human-readable format.

TimeDifferenceInDays

Returns the result of subtracting the second timestamp argument from the first timestamp argument, in days.

TimeDifferenceInHours

Returns the result of subtracting the second timestamp argument from the first timestamp argument, in hours.

TimeDifferenceInMinutes

Returns the result of subtracting the second timestamp argument from the first timestamp argument, in minutes.

TimeDifferenceInSeconds

Returns the result of subtracting the second timestamp argument from the first timestamp argument, in seconds.

TimestampGranularity

Note: This function is held in memory, therefore you can only use it in Rules, Filters, and Data Monitors. You cannot use the function in resources like Queries and Reports, and other resources that rely on persisted data.

Returns timestamp values at a granular level. This function is only available for in-memory operations like rules, data monitors, and channels; but not for reports, queries, and trends.

Includes the following timestamp granularity options:

  • get_year_only

    Returns a timestamp value of the first day of the year, first month of the year, and year; and zeroes out the hours, minutes, and seconds. For example, for a given timestamp of 4 Oct 2016 15:19:52 <Manager timezone>, the calculated value is

    1 Jan 2016 00:00:00 <Manager timezone>

 
  • get_year_month

    Returns a timestamp value of the first of the month, month, and year; and zeroes out the hours, minutes, and seconds. For example, for a given timestamp of 4 Oct 2016 15:19:52 <timezone>, the calculated value is

    1 Oct 2016 00:00:00 <Manager timezone>

 
  • get_year_month_day

    Returns a timestamp value of the date, month, and year only; and zeroes out the hours, minutes, and seconds. For example, for a given timestamp of 4 Oct 2016 15:19:52 <timezone>, the calculated value is

    4 Oct 2016 00:00:00 <Manager timezone>

 

  • get_year_month_day_hh

    Returns a timestamp value of the current date, month, year, and hours; and zeroes out the minutes and seconds. For example, for a given timestamp of 4 Oct 2016 15:19:52 <timezone>, the calculated value is

    4 Oct 2016 15:00:00 <Manager timezone>

 

  • get_year_month_day_hhmm

    Returns a timestamp value of the current date, month, year, hours, and minutes; and zeroes out the seconds. For example, for a given timestamp of 4 Oct 2016 15:19:52 <timezone>, the calculated value is

    4 Oct 2016 15:19:00 <Manager timezone>

 

  • get_year_month_day_hhmmss

    Returns a timestamp value of the date, month, year, hours, minutes, and seconds. For example, for a given timestamp of 4 Oct 2016 15:19:52 <timezone>, the calculated value is

    4 Oct 2016 15:19:52 <Manager timezone>

Note: You can test (click Calculate on the dialog for using this function in your variable) how each TimestampGranularity option calculates the value before you save the variable. The Manager’s timezone is used in calculation.