Kusto Query between TimeGenerated

Copper Contributor

Hi there,

 

I want to be able to look into a Kusto query in the Perf table for Virtual Machines and I want the TimeGenerated to both be between 3 weeks ago - but also only the events in TimeGenerated between 7:00am (12:00PM UTC) -> 10:00PM (3:00AM UTC) for each of those days.  I cannot figure out how to get this to work, is this even possible?

 

Thanks!

2 Replies

@Joseph Morley How about something like the following Query? It establishes a localTimestamp column to cater for the local timezone vs UTC conversion and then selects all records from the past 3 weeks (21 days) which happened after 0700 but before 2200 (in that calculated local time zone)

 

 

Perf
| extend localTimestamp = TimeGenerated - 5h
| where TimeGenerated > ago(21d)
| where hourofday( localTimestamp) >= 7
| where hourofday( localTimestamp) < 22

 

 

 

Instead of:

 

| where hourofday(localTimestamp) <= 7

| where hourofday(localTimestamp) < 22

 

You can write:

 

| where hourofday(localTimestamp) between (7 .. 21)