May 02 2018
- last edited on
Apr 07 2022
When I execute the following query on the demo portal:
| summarize by ClientIP, TimeGenerated
It doesn't return what I expect. It seems the TimeGenerated is rounded to the nearest hour and all sub-hour records are filtered.. It's as if there was a hypothetical startofhour function applied to TimeGenerated. Is this expected?
May 02 2018 10:28 PM
Can you let us what exactly you are trying to achieve as the query you are executing does not make much sense?
May 03 2018 01:56 AMSolution
This is expected. It is a failsafe functionality in the system to protect it from returning huge amounts of records which will be the situation if we would have return every TimeGenerated in accuracy of a millisecond. It automatically use 1 hour binning.
We are evaluating this failsafe mechanism and consider if it worth keeping it.
If you want control over the binning period, you can use the bin function. This query does the same but use a 1 minute binning instead of the 1 hour binning:
May 03 2018 10:36 AM
May 03 2018 12:42 PM
May 04 2018 10:39 AM
Ah, Thanks explicitly calling bin makes more sense.