From 467e23ffbbcb890e00a5b4235bac79d63d4ad312 Mon Sep 17 00:00:00 2001
From: jbfuzier <jbfuzier@gmail.com>
Date: Fri, 23 Jan 2026 12:58:39 +0100
Subject: [PATCH] Handle timestampVal type in stats.py

Add handling for timestampVal, this is used when stats queries return timebuckets, example :

events:
            $e.metadata.log_type="CS_EDR"
            $log_type = $e.metadata.log_type
match:
            $log_type by 5m
outcome:
            $total = math.round(count($e.metadata.id)/300)
---
 src/secops/chronicle/stats.py | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/secops/chronicle/stats.py b/src/secops/chronicle/stats.py
index 5b5f4e0..5fe1098 100644
--- a/src/secops/chronicle/stats.py
+++ b/src/secops/chronicle/stats.py
@@ -13,7 +13,7 @@
 # limitations under the License.
 #
 """Statistics functionality for Chronicle searches."""
-from datetime import datetime
+from datetime import datetime, UTC
 from typing import Any
 
 from secops.exceptions import APIError
@@ -127,6 +127,8 @@ def process_stats_results(stats: dict[str, Any]) -> dict[str, Any]:
                     values.append(float(val["doubleVal"]))
                 elif "stringVal" in val:
                     values.append(val["stringVal"])
+                elif "timestampVal" in val:
+                    values.append(datetime.fromisoformat(val["timestampVal"].replace('Z', '+00:00')).replace(tzinfo=UTC))
                 else:
                     values.append(None)
             # Handle list value cells (like those from array_distinct)