Query Logs between over night hours.

%3CLINGO-SUB%20id%3D%22lingo-sub-1523189%22%20slang%3D%22en-US%22%3EQuery%20Logs%20between%20over%20night%20hours.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1523189%22%20slang%3D%22en-US%22%3E%3CP%3EHello%2C%3CBR%20%2F%3EI%20am%20trying%20to%20query%20logs%20for%20file%20changes%20that%20occur%20over%20night.%3CBR%20%2F%3ESo%20working%20with%20this%20query%3CBR%20%2F%3E%3CBR%20%2F%3E%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3EConfigurationChange%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20Computer%20%3D%3D%20%3C%2FSPAN%3E%3CSPAN%3E%22MyComputer%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20FileSystemPath%20%3C%2FSPAN%3E%3CSPAN%3Econtains%3C%2FSPAN%3E%20%3CSPAN%3E%22MyFolder%22%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20ConfigChangeType%20in(%3C%2FSPAN%3E%3CSPAN%3E%22Files%22%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EThen%20I%20am%20wanting%20to%20just%20have%20reports%20for%20the%20time%20between%2022%3A00%3A00%20-%2010%3A00%3A00%3CBR%20%2F%3EI%20tried%20this%20query%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3Ewhere%20TimeGenerated%20between(datetime(%2222%3A00%3A00%22)%20..%20datetime(%2210%3A00%3A00%22))%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3CDIV%3E%26nbsp%3B%3C%2FDIV%3E%3CDIV%3E%3CSPAN%3EBut%20no%20logs%20are%20returned%2C%20even%20though%20logs%20are%20returned%2C%20if%20I%20run%20the%20query%20with%20out%20that%20TimeGenerated%20portion%3CBR%20%2F%3EAnd%20of%20course%20those%20times%20are%20UTC%3CBR%20%2F%3E%3CBR%20%2F%3EHow%20do%20I%20write%20it%20so%20that%20only%20the%20results%20between%20that%2012%20hour%20period%20are%20returned%3F%3CBR%20%2F%3E%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1523189%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Log%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1524759%22%20slang%3D%22en-US%22%3ERe%3A%20Query%20Logs%20between%20over%20night%20hours.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1524759%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F729216%22%20target%3D%22_blank%22%3E%40SethDunn%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20any%20use%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%3E%3CDIV%3E%3CSPAN%3E%7C%20%3C%2FSPAN%3E%3CSPAN%3Ewhere%3C%2FSPAN%3E%3CSPAN%3E%20datetime_part%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E%22hour%22%3C%2FSPAN%3E%3CSPAN%3E%2C%3C%2FSPAN%3E%3CSPAN%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3CSPAN%3E%20!between%20%3C%2FSPAN%3E%3CSPAN%3E(%3C%2FSPAN%3E%3CSPAN%3E10%3C%2FSPAN%3E%20%3CSPAN%3E..%3C%2FSPAN%3E%20%3CSPAN%3E22%3C%2FSPAN%3E%3CSPAN%3E)%3C%2FSPAN%3E%3C%2FDIV%3E%3C%2FDIV%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello,
I am trying to query logs for file changes that occur over night.
So working with this query

ConfigurationChange
where Computer == "MyComputer"
where FileSystemPath contains "MyFolder"
where ConfigChangeType in("Files")
 
Then I am wanting to just have reports for the time between 22:00:00 - 10:00:00
I tried this query
 
where TimeGenerated between(datetime("22:00:00") .. datetime("10:00:00"))
 
But no logs are returned, even though logs are returned, if I run the query with out that TimeGenerated portion
And of course those times are UTC

How do I write it so that only the results between that 12 hour period are returned?
1 Reply

@SethDunn 

 

This any use ?

 

| where datetime_part("hour",TimeGenerated) !between (10 .. 22)