Exclude logs between a certain time range

Copper Contributor

We'd like to exclude logs generated between certain time ranges from our alerts but are having a hard time figuring out how to play with the time value of datetime.

 

Lets say I have timeOfOccurence_t [UTC] which has a value of 2019-04-17T04:40:04.203Z.

 

I'd like to exclude any logs with a timeOfOccurence_t [UTC] between the hours of 1 AM and 6 AM.

 

How can I go about this?

1 Reply

@nickthompson   Here are two examples

 

// go back 1hr
let startDate       = ago(1h);              // go back in time nn 
let endDate         = now();                // what is the date now
union withsource = tt * 
| where TimeGenerated  between (startDate .. endDate )
| where _IsBillable == True
| summarize by tt, TimeGenerated

I probably think you'll need a modified version this time range example:

 

// Exclude 1am to 6am 
union withsource = tt * 
| where TimeGenerated > startofday(ago(1day))  // start from midnight yesterday
| where TimeGenerated  !between (datetime('01:00:00') .. datetime('06:00:00'))  // exclude times today 
| where _IsBillable == True
| where tt == "Event"
| summarize count() by tt, TimeGenerated
| render barchart  title ="Exclude 1am thru 6am"

Annotation 2019-04-18 085455.jpg