Skip to content

Instantly share code, notes, and snippets.

@abenteuerzeit

abenteuerzeit/query.md

Created February 22, 2024 11:30
Show Gist options
  • Save abenteuerzeit/a3b93ed9ec62b938509ee02a93ed29a9 to your computer and use it in GitHub Desktop.
Save abenteuerzeit/a3b93ed9ec62b938509ee02a93ed29a9 to your computer and use it in GitHub Desktop.
Download ZIP
KQL Time Comparisons
Raw
query.md 
let GenerateEventsOverYear = (startDatetime: datetime, endDatetime: datetime, intervalDays: int) {
    let totalDays = datetime_diff('day', endDatetime, startDatetime);
    let steps = totalDays / intervalDays;
    range EventID from 1 to steps step 1
    | extend EventTimestamp = startDatetime + ((EventID - 1) * intervalDays * 1d)
    | where EventTimestamp <= endDatetime
    | project EventID, EventTimestamp
};
let Events = GenerateEventsOverYear(ago(365d), now(), 7);
let currentTime = now();
let twoDaysAgo = ago(2d);
let oneHourAgo = ago(1h);
let referenceTimestamp = toscalar(Events | sample 1 | project EventTimestamp);
Events
| extend
    Equals = EventTimestamp == referenceTimestamp,
    NotEquals = EventTimestamp != referenceTimestamp,
    LessThan = EventTimestamp < referenceTimestamp,
    LessThanOrEqual = EventTimestamp <= referenceTimestamp,
    GreaterThan = EventTimestamp > referenceTimestamp,
    GreaterThanOrEqual = EventTimestamp >= referenceTimestamp,
    NearCurrentTime = abs(datetime_diff('second', EventTimestamp, currentTime)) <= 3600,
    IsRecent = EventTimestamp > twoDaysAgo,
    JustHappened = EventTimestamp > oneHourAgo
| order by EventTimestamp
| project referenceTimestamp, EventTimestamp, Equals, NotEquals, LessThan, LessThanOrEqual, GreaterThan, GreaterThanOrEqual, NearCurrentTime, IsRecent, JustHappened;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment