KQL Date between range not working

snteran · ‎May 19 2021

Due to the 10,000 row limit within KQL, we are working with running scan for just specific time ranges.

Query:

IdentityLogonEvents

| where LogonType == "Failed logon" and isnotempty(AccountName)

| project LogonTime = Timestamp, LogonType, Application, FailureReason, AccountName, AccountUpn, DeviceName, DestinationDeviceName

| where Timestamp between (datetime(2021-5-02)..datetime(2021-5-03))

However the datetime is not working correctly, we still get what ever the option is selected in the gui. When I test this in the lademo area, I get "Set in query".

Any help/advice on how to get the date range to work in query?

Also, it's odd how the 10,000 limit is not in a row. For example, if we did 5/5 - 5/8 and we limited out, we will get results for all dates but not all the data.

Cheers,

LouisMastelinck · ‎May 27 2021

I have not tested your KQL but have you tried moving your Timestap to the top of you query?
So your data set is first created within the wanted time range and narrowed down based on the logonType.

IdentityLogonEvents
| where Timestamp between (datetime(2021-5-02)..datetime(2021-5-03))
| where LogonType == "Failed logon" and isnotempty(AccountName)
| project LogonTime = Timestamp, LogonType, Application, FailureReason, AccountName, AccountUpn, DeviceName, DestinationDeviceName

snteran · ‎Jun 07 2021

Hey Louis, Looks like they are going to decide to run the query everyday until we can get PowerBI desktop setup on the VM.

Cheers,

KQL Date between range not working

KQL Date between range not working

Re: KQL Date between range not working

Re: KQL Date between range not working

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

KQL Date between range not working