Apr 17 2019
08:42 AM
- last edited on
Apr 07 2022
05:45 PM
by
TechCommunityAP
Apr 17 2019
08:42 AM
- last edited on
Apr 07 2022
05:45 PM
by
TechCommunityAP
We'd like to exclude logs generated between certain time ranges from our alerts but are having a hard time figuring out how to play with the time value of datetime.
Lets say I have timeOfOccurence_t [UTC] which has a value of 2019-04-17T04:40:04.203Z.
I'd like to exclude any logs with a timeOfOccurence_t [UTC] between the hours of 1 AM and 6 AM.
How can I go about this?
Apr 18 2019 12:56 AM
@nickthompson Here are two examples
// go back 1hr let startDate = ago(1h); // go back in time nn let endDate = now(); // what is the date now union withsource = tt * | where TimeGenerated between (startDate .. endDate ) | where _IsBillable == True | summarize by tt, TimeGenerated
I probably think you'll need a modified version this time range example:
// Exclude 1am to 6am union withsource = tt * | where TimeGenerated > startofday(ago(1day)) // start from midnight yesterday | where TimeGenerated !between (datetime('01:00:00') .. datetime('06:00:00')) // exclude times today | where _IsBillable == True | where tt == "Event" | summarize count() by tt, TimeGenerated | render barchart title ="Exclude 1am thru 6am"