Log Analytics Workspace / Azure Watchlist: KQL Filtering on datetime
I'm having trouble converting a date value in a watchlist to be understood as a datetime value.
I've tried using format_datime(), datetime(), date() but the value becomes blank.
steps to reproduce:
create a watchlist with a column that has a date in the format
dd/MM/yyyyrun a query where you attempt to filter on the date column. (ensure the date value meets the condition)
let examplewatchlist = _GetWatchlist("exampleWatchlist");
examplewatchlist
| where ReviewDate > now() // now is 01/03/2024
For example, here is my watchlist (a total of 1 row)
My desired output for the above query should be this one row in the watchlist because it satisfies ReviewDate > now()
Created a watchlist same as you have :
You can use below KQL query to get expected results:
let examplewatchlist = _GetWatchlist("test1");
examplewatchlist
| extend test = split(ReviewDate, "/")
| extend ReviewDate2 = make_datetime(toint(test[2]),toint(test[1]),toint(test[0]))
| where ReviewDate2 > now() + 17d
ReviewDate is not stored as datetime, it needs to transformed as above.
To test date with now():
Later you can use |project-away test to remove extra columns.
- Generate Chart by Type and State
- Azure Data Explorer C# querying and ORM
- How to find non distinct/duplicate messages in Azure Application Insights?
- Kusto query for time between records by group in one result list
- Application Insights KQL query - not in sub query
- Logic Apps copy action gives: The managed identity used with this operation no longer exists. To continue, set up an identity or change the connection
- Get all types of resources in a resource group
- insert an array in column of the kql table
- Stuck at PIM Diagnostics via KQL
- In Azure log analytics - where are the delete queries in KQL?
- Get the difference between Successive timestamps KQL
- Grouping on the basis of cumulative sum
- Check two different tables
- Is it possible to group rows programmatically in KQL?
- How could I parse the json array in Kusto?
- How to use table alias in KQL query
- How do I create an Azure workbook that accepts a time range in UTC?
- Azure Resource Graph Explorer :: list all VMs with number of cores
- Restrict all table and function except specific table
- Extract query string from url
- how to convert the rows into columns in Azure Data Explorer (Kusto)
- String function not parsing all characters
- free disk space overview using InsightsMetrics
- Query Azure Resource Graph and get a list of all the application registration that contains "test"
- Time difference between separate rows in same table
- How can I default a KQL Defender Vulnerability Summary to zero?
- Summarize count() multiple columns with where clauses
- Merging multiple rows into a variable in json format
- Kusto (KQL), How to pivot event rows that are grouped into single lines (by user and day), including event start and end times?
- How do I show the status of all ACAs in an Azure ACA Environment