Good Morning All,
Hope you can help me.
I have, throughout the day, 3 tasks, 2 which look every 5 minutes for Id 1 or 3, and one every 4 hours for Id 2.
I have told these jobs to only run between 6am and 11pm.
I also have an overnight job that checks for Id 1 or 3 between the hours of 11pm and 6am.
However, I have noticed the between 6am and 11pm job sometimes having stuff in it up to 1am
I have also noticed the 11pm to 6am job having stuff as early as 8pm in it.
Clearly, I have done "something" wrong.
I have tried using AND and WHERE which produced the same results but here are my basic bits of code.
During the day, every 5 mins between 6am and 11pm
eventLog_EventDetail_CL
| where TimeGenerated > ago(5m) and EventTypeId_d == 3
| where TimeGenerated between (datetime('06:00:00') .. datetime('23:00:00'))
| limit 10 |
And overnight (had to include the ago(12h) or it would scan for hours
eventLog_EventDetail_CL
| where TimeGenerated > ago(12h)
| where TimeGenerated !between(datetime('06:00:00')..datetime('23:00:00'))
| where (EventTypeId_d == 3 or EventTypeId_d ==1)
