Jun 28 2021
10:12 AM
- last edited on
Apr 08 2022
10:50 AM
by
TechCommunityAP
Jun 28 2021
10:12 AM
- last edited on
Apr 08 2022
10:50 AM
by
TechCommunityAP
Hi,
I am looking for something equivalent to a timeshift operator . For example a query returns x results when run in the last 15 minutes , but the same query returns y results when run exactly a week back i.e. currenttime -7 days ( also run for 15 minutes a week back) .
My purpose is to get the differential between these values ( y-x) and alert if this number is >0 indicating the missing ones .
Thanks
Jun 29 2021 01:19 AM
This example will give you the structure. I used the Usage table as an example and the Alerts table (which you may or may not have)
Usage
// just data from 7 days ago (midnight to midnight)
| where TimeGenerated between ( startofday(ago(7d)) .. endofday(ago(7d)) )
| where DataType == "Alert"
| summarize 7daysAgo = count(), min(TimeGenerated), max(TimeGenerated) by DataType
| join (
Usage
// just data from midnight TODAY until now
| where TimeGenerated > startofday(now())
| where DataType == "Alert"
// get the last record from today
| summarize TodaysCount = count(), arg_max(TimeGenerated,*) by DataType
) on DataType
result
you can then use something like:
| where TodaysCount > 7daysAgo
Jul 06 2021 01:42 PM
Jul 07 2021 12:55 AM