Log Analytics Workspace / Azure Watchlist: KQL Filtering on datetime

Question

I'm having trouble converting a date value in a watchlist to be understood as a datetime value.

I've tried using format_datime(), datetime(), date() but the value becomes blank.

steps to reproduce:

1. create a watchlist with a column that has a date in the format dd/MM/yyyy

2. run a query where you attempt to filter on the date column. (ensure the date value meets the condition)

let examplewatchlist = _GetWatchlist("exampleWatchlist");
examplewatchlist
| where ReviewDate > now() // now is 01/03/2024

For example, here is my watchlist (a total of 1 row)

My desired output for the above query should be this one row in the watchlist because it satisfies ReviewDate > now()

Answer 1

Created a watchlist same as you have :

You can use below KQL query to get expected results:

let examplewatchlist = _GetWatchlist("test1");
examplewatchlist
| extend test = split(ReviewDate, "/")
| extend ReviewDate2 = make_datetime(toint(test[2]),toint(test[1]),toint(test[0]))
| where ReviewDate2 >  now() + 17d

ReviewDate is not stored as datetime, it needs to transformed as above.

To test date with now():

Later you can use |project-away test to remove extra columns.