Forum Discussion
KQL Date between range not working
Due to the 10,000 row limit within KQL, we are working with running scan for just specific time ranges.
Query:
IdentityLogonEvents
| where LogonType == "Failed logon" and isnotempty(AccountName)
| project LogonTime = Timestamp, LogonType, Application, FailureReason, AccountName, AccountUpn, DeviceName, DestinationDeviceName
| where Timestamp between (datetime(2021-5-02)..datetime(2021-5-03))
However the datetime is not working correctly, we still get what ever the option is selected in the gui. When I test this in the lademo area, I get "Set in query".
Any help/advice on how to get the date range to work in query?
Also, it's odd how the 10,000 limit is not in a row. For example, if we did 5/5 - 5/8 and we limited out, we will get results for all dates but not all the data.
Cheers,
- I have not tested your KQL but have you tried moving your Timestap to the top of you query?
So your data set is first created within the wanted time range and narrowed down based on the logonType.
IdentityLogonEvents
| where Timestamp between (datetime(2021-5-02)..datetime(2021-5-03))
| where LogonType == "Failed logon" and isnotempty(AccountName)
| project LogonTime = Timestamp, LogonType, Application, FailureReason, AccountName, AccountUpn, DeviceName, DestinationDeviceName- Hey Louis, Looks like they are going to decide to run the query everyday until we can get PowerBI desktop setup on the VM.
Cheers,
