Using azure data explorer https://dataexplorer.azure.com/ I ran both queries below.
First Query (Total Count):
AppRequests | where TimeGenerated >= datetime("2024-03-28") and TimeGenerated < datetime("2024-03-29") | count
In this query, we directly count all records without any summarization. It provides the total count of events within the specified time range.
Second query:
AppRequests| where TimeGenerated >= datetime("2024-03-28") and TimeGenerated < datetime("2024-03-29")
In this corrected query, we filter AppRequests based on the same time range as the first query without any summarization.
I would expect that the total number of records off the 2nd query match the resultset of the first query. Yet I have a difference. The first query gets a total number above 80k while the 2nd query get me about 35k records. How is this possible?
when breaking down that query per hour instead AppRequests | where TimeGenerated >= datetime("2024-03-28 17:00:00") and TimeGenerated < datetime("2024-03-28 17:59:59") and so forth, I had a match when adding the count pipe.
There is a Result truncation that limits how much/how many results you can get in a KQL query. Look if that's what is limiting your results.
If you would like to disable result truncation, add
set notruncation;
AppRequests| where TimeGenerated >= datetime("2024-03-28") and TimeGenerated < datetime("2024-03-29")