Azure Monitor: Where Time Between or !Between doesn't seem to work.

%3CLINGO-SUB%20id%3D%22lingo-sub-2113699%22%20slang%3D%22en-US%22%3EAzure%20Monitor%3A%20Where%20Time%20Between%20or%20!Between%20doesn't%20seem%20to%20work.%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2113699%22%20slang%3D%22en-US%22%3E%3CP%3EGood%20Morning%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20you%20can%20help%20me.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%2C%20throughout%20the%20day%2C%203%20tasks%2C%202%20which%20look%20every%205%20minutes%20for%20Id%201%20or%203%2C%20and%20one%20every%204%20hours%20for%20Id%202.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20told%20these%20jobs%20to%20only%20run%20between%206am%20and%2011pm.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20also%20have%20an%20overnight%20job%20that%20checks%20for%20Id%201%20or%203%20between%20the%20hours%20of%2011pm%20and%206am.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20have%20noticed%20the%20between%206am%20and%2011pm%20job%20sometimes%20having%20stuff%20in%20it%20up%20to%201am%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20also%20noticed%20the%2011pm%20to%206am%20job%20having%20stuff%20as%20early%20as%208pm%20in%20it.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EClearly%2C%20I%20have%20done%20%22something%22%20wrong.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20tried%20using%20AND%20and%20WHERE%20which%20produced%20the%20same%20results%20but%20here%20are%20my%20basic%20bits%20of%20code.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EDuring%20the%20day%2C%20every%205%20mins%20between%206am%20and%2011pm%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3E%3CP%3EeventLog_EventDetail_CL%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(5m)%20and%20EventTypeId_d%20%3D%3D%203%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20between%20(datetime('06%3A00%3A00')%20..%20datetime('23%3A00%3A00'))%3CBR%20%2F%3E%7C%20limit%2010%3C%2FP%3E%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnd%20overnight%20(had%20to%20include%20the%20ago(12h)%20or%20it%20would%20scan%20for%20hours%3C%2FP%3E%3CP%3EeventLog_EventDetail_CL%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(12h)%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20!between(datetime('06%3A00%3A00')..datetime('23%3A00%3A00'))%3CBR%20%2F%3E%7C%20where%20(EventTypeId_d%20%3D%3D%203%20or%20EventTypeId_d%20%3D%3D1)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2113699%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActivity%20Logs%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ECustom%20Logs%20and%20Custom%20Fields%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Occasional Visitor

Good Morning All,

 

Hope you can help me. 

 

I have, throughout the day, 3 tasks, 2 which look every 5 minutes for Id 1 or 3, and one every 4 hours for Id 2. 

I have told these jobs to only run between 6am and 11pm. 

 

I also have an overnight job that checks for Id 1 or 3 between the hours of 11pm and 6am.

 

However, I have noticed the between 6am and 11pm job sometimes having stuff in it up to 1am

 

I have also noticed the 11pm to 6am job having stuff as early as 8pm in it. 

 

Clearly, I have done "something" wrong.

 

I have tried using AND and WHERE which produced the same results but here are my basic bits of code. 

 

During the day, every 5 mins between 6am and 11pm

eventLog_EventDetail_CL
| where TimeGenerated > ago(5m) and EventTypeId_d == 3
| where TimeGenerated between (datetime('06:00:00') .. datetime('23:00:00'))
| limit 10

 

And overnight (had to include the ago(12h) or it would scan for hours

eventLog_EventDetail_CL
| where TimeGenerated > ago(12h)
| where TimeGenerated !between(datetime('06:00:00')..datetime('23:00:00'))
| where (EventTypeId_d == 3 or EventTypeId_d ==1)

0 Replies