I have used Log Analytics & Kusto Query Language (KQL) quite alot over the years, recently I been spending sometime writing a number of queries that have time based filtering included, such as return data for a specific month, specific time frame etc – have created a quick blog post to show some of these time based filters that are possible as part of your KQL.
Getting Started with Time-Based Filtering in KQL
Lets jump right into some examples of time-based filters and understand what each query does:
findSearches across all tables for the specified condition
1. Logs for a specific month
find where TimeGenerated between(startofday(datetime(2024-06-01)) .. endofday(datetime(2024-06-30)))
where TimeGenerated between(startofday(datetime(2024-06-01)) .. endofday(datetime(2024-06-30)))Filters the logs to include only those generated between the start and end of June 2024 (1st – 30th June)
2. Logs for a specific week
find where TimeGenerated between(datetime(2024-06-10) .. datetime(2024-06-16))
where TimeGenerated between(datetime(2024-06-10) .. datetime(2024-06-16))Sometimes you may want to analyse logs from a specific week, this is what above is doing – in this case, return logs generated between 10th and 16th of June 2024
3. Logs for a specific day
find where TimeGenerated between(startofday(datetime(2024-06-19)) .. endofday(datetime(2024-06-19)))
where TimeGenerated between(startofday(datetime(2024-06-19)) .. endofday(datetime(2024-06-19)))Logs created during a specific day, returns logs generated on 19th June 2024
4. Logs within the last two hours
find where TimeGenerated between(ago(2h) .. now())
where TimeGenerated between(ago(2h) .. now())Logs that have been created within the last 2 hours
5. Logs in a specific quarter
find where TimeGenerated between(startofday(datetime(2024-04-01)) .. endofday(datetime(2024-06-30)))
where TimeGenerated between(startofday(datetime(2024-04-01)) .. endofday(datetime(2024-06-30)))Logs created within a specific quarter, in this case Q2
Whether you’re isolating logs for specific hours, days, or dynamically generating real-time data, these techniques will help you gain deeper insights into your log data.
Keep experimenting with these queries and explore more advanced features of KQL to unlock the full potential of Azure Log Analytics 🙂 – hopefully these example time based filtering queries assist you within your KQL