Axiom Docs

Use the datetime_part function in APL to extract a specific date part from a datetime value as an integer. You can extract components such as the year, month, day, hour, minute, second, and more. You can use datetime_part to break down timestamps into individual components for grouping, filtering, or analysis. This is especially useful for time-of-day analysis, seasonal patterns, and partitioning data by calendar units. Use it when you want to:

Group events by hour of day to identify peak traffic periods.
Extract the month or quarter for seasonal trend analysis.
Partition data by year or day for reporting and aggregation.

For users of other query languages

If you come from other query languages, this section explains how to adjust your existing queries to achieve the same results in APL.

Splunk SPL users

In Splunk SPL, you typically use strftime with format specifiers such as %H for hour or %m for month to extract date parts. In APL, the datetime_part function takes a string-based part name and returns the corresponding integer directly.

... | eval hour=strftime(_time, "%H")

ANSI SQL users

In ANSI SQL, you typically use EXTRACT(HOUR FROM timestamp_column) or DATEPART(HOUR, timestamp_column). In APL, datetime_part follows a similar pattern with a string-based part name as the first argument.

SELECT EXTRACT(HOUR FROM timestamp_column) AS hour FROM events;

Usage

Syntax

datetime_part(part, datetime)

Parameters

Name	Type	Description
part	`string`	The date part to extract: `'year'`, `'quarter'`, `'month'`, `'week_of_year'`, `'day'`, `'dayOfYear'`, `'hour'`, `'minute'`, `'second'`, `'millisecond'`, `'microsecond'`, `'nanosecond'`.
datetime	`datetime`	The datetime value to extract the part from.

Returns

An int representing the value of the extracted date part.

Use case examples

Log analysis
OpenTelemetry traces
Security logs

Analyze request volume by hour of day to find peak traffic periods.Query

['sample-http-logs']
| extend hour = datetime_part('hour', _time)
| summarize request_count = count() by hour
| sort by hour asc

Run in PlaygroundOutput

hour	request_count
0	312
1	287
2	198

This query extracts the hour from each request timestamp and counts requests per hour, revealing daily traffic patterns.

Break down trace counts by day of month and service name to identify daily patterns.Query

['otel-demo-traces']
| extend day_of_week = datetime_part('day', _time)
| summarize trace_count = count() by day_of_week, ['service.name']

Run in PlaygroundOutput

day_of_week	[‘service.name’]	trace_count
1	frontend	1540
1	cart	870
2	frontend	1620

This query groups traces by the day of the month and service name, helping you spot services with uneven daily load.

Identify which months have the most server error responses.Query

['sample-http-logs']
| where toint(status) >= 500
| extend month = datetime_part('month', _time)
| summarize error_count = count() by month
| sort by error_count desc

Run in PlaygroundOutput

month	error_count
3	142
7	118
11	97

This query extracts the month from each error event and ranks months by error frequency, useful for identifying seasonal reliability issues.

hourofday: Returns the hour of the day from a datetime. Use as a shorthand when you only need the hour.
dayofmonth: Returns the day of the month from a datetime.
dayofweek: Returns the day of the week as a timespan.
dayofyear: Returns the day of the year as an integer.
monthofyear: Returns the month number from a datetime.
getyear: Returns the year from a datetime.

Get started

Functions

Operators

Reference

Migration

datetime_part

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

Get started

Functions

Operators

Reference

Migration

​For users of other query languages

​Usage

​Syntax

​Parameters

​Returns

​Use case examples

​List of related functions

For users of other query languages

Usage

Syntax

Parameters

Returns

Use case examples

List of related functions