Log Analytics Workspace / Azure Watchlist: KQL Filtering on datetime

67 Views Asked by HarriS At 29 February 2024 at 23:56

I'm having trouble converting a date value in a watchlist to be understood as a datetime value.

I've tried using format_datime(), datetime(), date() but the value becomes blank.

steps to reproduce:

create a watchlist with a column that has a date in the format dd/MM/yyyy
run a query where you attempt to filter on the date column. (ensure the date value meets the condition)

let examplewatchlist = _GetWatchlist("exampleWatchlist");
examplewatchlist
| where ReviewDate > now() // now is 01/03/2024

For example, here is my watchlist (a total of 1 row)

My desired output for the above query should be this one row in the watchlist because it satisfies ReviewDate > now()

Original Q&A

There are 1 best solutions below

RithwikBojja On 01 March 2024 at 05:18 BEST ANSWER

Created a watchlist same as you have :

enter image description here

You can use below KQL query to get expected results:

let examplewatchlist = _GetWatchlist("test1");
examplewatchlist
| extend test = split(ReviewDate, "/")
| extend ReviewDate2 = make_datetime(toint(test[2]),toint(test[1]),toint(test[0]))
| where ReviewDate2 >  now() + 17d

enter image description here

ReviewDate is not stored as datetime, it needs to transformed as above.

To test date with now():

enter image description here

Later you can use |project-away test to remove extra columns.

Log Analytics Workspace / Azure Watchlist: KQL Filtering on datetime

There are 1 best solutions below

Related Questions in KQL

Related Questions in AZURE-DATA-EXPLORER

Related Questions in AZURE-LOG-ANALYTICS

Trending Questions

Popular # Hahtags

Popular Questions