Formatting timestamp string in VQL
429 views
Skip to first unread message
Fusao Tanida
Feb 16, 2022, 8:13:36 PM2/16/22
to velociraptor-discuss
Hi.
Let me ask question about formated output of timestamp string in VQL
As of now, timestamp() in VQL outputs only fixed timestamp string such as "2022-02-15 04:50:04 +0000 GMT". I'm investigating how to output different format such as "2022-02-15T12:34:56Z" in UTC.
As far as my investigation, it looks that timestamp object in VQL is seamlessly tied with internal golang time object and VQL can access Year, Month, Day, ... properties as <timestamp object>.Year. But this is not documented.
Is there any other way to output in custom timestamp format ?
Thank you
Mike Cohen
Feb 16, 2022, 9:40:55 PM2/16/22
to Fusao Tanida, velociraptor-discuss
Hi Fusao
Yes inside VQL the timestamp object is a time.Time object so has access to all those methods.
One slightly confusing thing about VQL is that inside VQL we can have arbitrary types, but when we retrieve the results of the query we have to serialize it to JSON - so every object is serialized to a valid JSON type. Since JSON can only really have basic types like floats, strings etc then time objects also get converted to a string.
Normally this conversion is done in Golang into an ISO time format - Velociraptor goes out of its way to set the timezone to Zulu just to be consistent but an ISO timestamp can be in any timezone. ISO timestamp is of the form "2022-02-15T12:34:56Z" already:
I think the issue is when expanding to a longer string with the format(format="%s"... then it uses the .String() method of the time.Time object https://pkg.go.dev/time#Time.String
Which is a different (non ISO) format.
I found that I can do something like this:
SELECT "The time is " + str(str=timestamp(epoch=now()).MarshalText)
FROM scope()
FROM scope()
Which uses the MarshalText - it is not very intuitive though - we probably need to fix that.
Alternatively you can format explicitly using the format() function
here are the two methods side by side:
LET t <= timestamp(epoch=now()).UTC
SELECT "The time is " + str(str=t.MarshalText),
format(format="%d-%02d-%02dT%02d:%02d:%02dZ", args=[
t.Year, t.Month, t.Day, t.Hour, t.Minute, t.Second])
FROM scope()
SELECT "The time is " + str(str=t.MarshalText),
format(format="%d-%02d-%02dT%02d:%02d:%02dZ", args=[
t.Year, t.Month, t.Day, t.Hour, t.Minute, t.Second])
FROM scope()
You can create a VQL function so it is easier to use and then you can reuse it everywhere:
LET FormatTime(t) = format(format="%d-%02d-%02dT%02d:%02d:%02dZ", args=[
t.Year, t.Month, t.Day, t.Hour, t.Minute, t.Second])
SELECT "The time is " + FormatTime(t=timestamp(epoch=now()))
FROM scope()
t.Year, t.Month, t.Day, t.Hour, t.Minute, t.Second])
SELECT "The time is " + FormatTime(t=timestamp(epoch=now()))
FROM scope()
Thanks
Mike
--
You received this message because you are subscribed to the Google Groups "velociraptor-discuss" group.
To unsubscribe from this group and stop receiving emails from it, send an email to velociraptor-dis...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/velociraptor-discuss/58410c2b-b741-47e1-8bc7-30b77281d3a3n%40googlegroups.com.
Fusao Tanida
Feb 16, 2022, 10:25:47 PM2/16/22
to velociraptor-discuss
Hi Mike
Thank you for detailed explanation. I fully resolved my question.
As you said, MarshalText is not intunitive so I'll use format approach you sugested.
Thank you again.
Reply all
Reply to author
Forward
0 new messages