Filtering on Time

# References https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/datetime https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/scalar-data-types/timespan # Timespans (Time period/duration) As with the name, time periods represent a period or duration of time such as 1 days duration (24 hours) ```kusto // Days let period_days = 2d; // hours let period_hours = 1h; // Minutes let period_mins = 1m; // Seconds let period_seconds = 1s; // millioseconds let period_milli = 1ms; // Microseconds let period_micro = 1microsecond; ``` Performing addition or subtraction operations on two timespans will result in a timespan. A negative timespan is possible which will result in the operation being inverted meaning addition will become subtraction and subtraction will become addition. # Datetimes (point in time) The datetime type represents a specific point in time such as 12am on the 1st of January 2021. > Note that the datetime queries will be in UTC and you should account for this. The datetime is generally presented in local time in the visual results output however. You can determine what the returned time in the results table is showing as it should show something similar to TimeGenerated [Timezone] ```kusto let datetime_utc = datetime('2022-01-01T13:00:00'); let datetime_offset = datetime('2022-01-01T13:00:00+1'); // UTC +1 let datetime_alternative = datetime('2022-01-01T13:00:00') + 1h; // UTC +1 - useful for setting the datetime as a value such as "let tz = +1h" let datetime_now = now() // The current time ``` Adding or subtracting a datetime to/from another datetime will result in the difference between the two represented as a timespan . Adding or subtracting a timespan to/from a datetime willresult in a datetime. # Filtering queries ```kusto // using greater or equal to datetime or less than or equal to do a "between" T | where TimeGenerated >= ago(1d) and TimeGenerated <= now() // Using between T | where TimeGenerated between (ago(1d) .. now()) // Using between T | where TimeGenerated between (datetime('2022-01-01T13:00:00+8') .. datetime('2022-01-01T13:00:00+8')) // Using between notice where there are two statements that they are in brackes (now()-1d) T | where TimeGenerated between ((now()-1d) .. now()) // Using a string to datetime T | where TimeGenerated >= datetime('2022-01-01T13:00:00+8') // Using a calculated time T | where TimeGenerated >= now()-1d ``` # Examples ## Between / Before and After ### With comparison operators ``` let after = now()-10d; let before = now()-1h; T | where TimeGenerated >= after and TimeGenerated <= before ``` ### Using between ``` let after = now()-10d; let before = now()-1h; T | where TimeGenerated between (after .. before) ``` ## Difference between two times ``` T | summarize first_seen=min(TimeGenerated), last_seen=max(TimeGenerated) by IPAddress | where last_seen-first_seen > 1h ```