Jan 07 2021 06:46 AM
Hi there,
I want to be able to look into a Kusto query in the Perf table for Virtual Machines and I want the TimeGenerated to both be between 3 weeks ago - but also only the events in TimeGenerated between 7:00am (12:00PM UTC) -> 10:00PM (3:00AM UTC) for each of those days. I cannot figure out how to get this to work, is this even possible?
Thanks!
Jan 07 2021 02:07 PM - edited Jan 07 2021 02:14 PM
@Joseph Morley How about something like the following Query? It establishes a localTimestamp column to cater for the local timezone vs UTC conversion and then selects all records from the past 3 weeks (21 days) which happened after 0700 but before 2200 (in that calculated local time zone)
Perf
| extend localTimestamp = TimeGenerated - 5h
| where TimeGenerated > ago(21d)
| where hourofday( localTimestamp) >= 7
| where hourofday( localTimestamp) < 22
Jan 20 2021 09:07 AM
Instead of:
| where hourofday(localTimestamp) <= 7
| where hourofday(localTimestamp) < 22
You can write:
| where hourofday(localTimestamp) between (7 .. 21)