Jun 28 2021
- last edited on
Apr 08 2022
I am looking for something equivalent to a timeshift operator . For example a query returns x results when run in the last 15 minutes , but the same query returns y results when run exactly a week back i.e. currenttime -7 days ( also run for 15 minutes a week back) .
My purpose is to get the differential between these values ( y-x) and alert if this number is >0 indicating the missing ones .
Jun 29 2021 01:19 AM
This example will give you the structure. I used the Usage table as an example and the Alerts table (which you may or may not have)
Usage // just data from 7 days ago (midnight to midnight) | where TimeGenerated between ( startofday(ago(7d)) .. endofday(ago(7d)) ) | where DataType == "Alert" | summarize 7daysAgo = count(), min(TimeGenerated), max(TimeGenerated) by DataType | join ( Usage // just data from midnight TODAY until now | where TimeGenerated > startofday(now()) | where DataType == "Alert" // get the last record from today | summarize TodaysCount = count(), arg_max(TimeGenerated,*) by DataType ) on DataType
you can then use something like:
| where TodaysCount > 7daysAgo
Jul 06 2021 01:42 PM
Jul 07 2021 12:55 AM