Azure Log Analytics - How to view logs from last x days but only between certain hours?

Question

I'd like to look at the app gateway 500 error logs over the last x number of days. But for those x number of days, I'd only like to see the logs that came in between 11:00 and 13:00 UTC. How can I do this? Here's what I have so far but it's not working.

AzureDiagnostics
| where TimeGenerated > ago(7d) and TimeGenerated between (datetime(11:00:00) .. datetime(13:00:00))
| where ResourceType == "APPLICATIONGATEWAYS" and httpStatus_d > 499
| where host_s == "my.website.com"
| summarize count() by clientIP_s, bin(TimeGenerated, 5m)

Obviously the second like (Timegenerated) is wrong. Can someone please advise on how to do this?

Thanks!

score 4 · Accepted Answer · answered Dec 11 '20 at 19:34

You could use hourofday(): https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/hourofdayfunction

For example:

AzureDiagnostics
| where TimeGenerated > ago(7d)
| where hourofday(TimeGenerated) between (11 .. 12) // 11:00 AM -> 12:59 PM
| where host_s == "my.website.com"
| where ResourceType == "APPLICATIONGATEWAYS"
| where httpStatus_d > 499
| summarize count() by clientIP_s, bin(TimeGenerated, 5m)

Azure Log Analytics - How to view logs from last x days but only between certain hours?

1 Answers1