How to cater if most kusto queries return data for 7 days, but for some you need to select up to 13 days
Question
How do I modify a KQL query so if there is no data for the last 7 days (per SubscriptionID), it will check the previous 7 days, and so on, until data is returned? I am not looking for the max record, want to return all records.
customEvents
| where TimeGenerated >= ago(7d)
Example: SubscriptionId 1, ago(7d) gives me 100 records. SubscriptionId 2, ago(11d) gives me 50 records. SubscriptionId 3, ago(13d) gives me 70 records.
1 answers
solution1
0 2022-03-30 17:23:05
- Find the max TimeGenerated per SubscriptionId
- Compute the range of dates (intervals of 7 days, starting midnight) containing the max TimeGenerated
- Find the rows within the range
Some steps can be merged, however I kept it like this, so the process would be clearer.
// This is not a part of the solution, just generation of a sample data set
let customEvents = materialize(range RecordID from 1 to 100 step 1 | extend SubscriptionId = 100 + toint(rand()*10), TimeGenerated = ago(70d * rand()));
// The Solution starts here
customEvents
| where TimeGenerated == TimeGenerated // This is a trick to remove the Azure Log Analytics GUI filtering on TimeGenerated and scan the whole data
| summarize max(TimeGenerated) by SubscriptionId // Find the latest event per SubscriptionId
| extend 7d_index = toint((startofday(now()) + 1d - max_TimeGenerated) / 7d) // Taking midnight (start of tomorrow) as a reference point for 7d steps
| extend 7d_from = startofday(now()) + 1d - (7d_index+1)*7d
| extend 7d_to = 7d_from + 7d
| join kind=inner customEvents on SubscriptionId
| where TimeGenerated >= 7d_from and TimeGenerated < 7d_to
| SubscriptionId | max_TimeGenerated | 7d_index | 7d_from | 7d_to | RecordID | SubscriptionId1 | TimeGenerated |
|---|---|---|---|---|---|---|---|
| 103 | 2022-02-09T03:25:15.5368504Z | 7 | 2022-02-03T00:00:00Z | 2022-02-10T00:00:00Z | 9 | 103 | 2022-02-09T02:37:56.1558849Z |
| 103 | 2022-02-09T03:25:15.5368504Z | 7 | 2022-02-03T00:00:00Z | 2022-02-10T00:00:00Z | 16 | 103 | 2022-02-07T04:33:24.316011Z |
| 103 | 2022-02-09T03:25:15.5368504Z | 7 | 2022-02-03T00:00:00Z | 2022-02-10T00:00:00Z | 38 | 103 | 2022-02-09T03:25:15.5368504Z |
| 106 | 2022-03-02T15:05:44.9959483Z | 4 | 2022-02-24T00:00:00Z | 2022-03-03T00:00:00Z | 89 | 106 | 2022-03-02T15:05:44.9959483Z |
| 100 | 2022-03-11T23:07:30.112493Z | 2 | 2022-03-10T00:00:00Z | 2022-03-17T00:00:00Z | 52 | 100 | 2022-03-11T23:07:30.112493Z |
| 100 | 2022-03-11T23:07:30.112493Z | 2 | 2022-03-10T00:00:00Z | 2022-03-17T00:00:00Z | 99 | 100 | 2022-03-10T10:42:13.3707942Z |
| 108 | 2022-03-18T02:30:12.9981348Z | 1 | 2022-03-17T00:00:00Z | 2022-03-24T00:00:00Z | 45 | 108 | 2022-03-18T02:30:12.9981348Z |
| 104 | 2022-03-26T09:42:16.6141944Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 2 | 104 | 2022-03-26T09:42:16.6141944Z |
| 101 | 2022-03-26T21:07:24.8287265Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 26 | 101 | 2022-03-26T18:44:11.2603872Z |
| 101 | 2022-03-26T21:07:24.8287265Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 72 | 101 | 2022-03-26T21:07:24.8287265Z |
| 109 | 2022-03-27T00:19:21.6634245Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 10 | 109 | 2022-03-24T20:51:14.0998955Z |
| 109 | 2022-03-27T00:19:21.6634245Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 97 | 109 | 2022-03-24T10:58:08.3486066Z |
| 109 | 2022-03-27T00:19:21.6634245Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 100 | 109 | 2022-03-27T00:19:21.6634245Z |
| 107 | 2022-03-27T15:38:00.2505115Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 56 | 107 | 2022-03-27T15:38:00.2505115Z |
| 107 | 2022-03-27T15:38:00.2505115Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 79 | 107 | 2022-03-26T21:48:07.2426503Z |
| 102 | 2022-03-29T18:22:07.0933128Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 17 | 102 | 2022-03-29T18:22:07.0933128Z |
| 105 | 2022-03-30T06:33:58.9259576Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 5 | 105 | 2022-03-25T00:54:28.3674356Z |
| 105 | 2022-03-30T06:33:58.9259576Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 43 | 105 | 2022-03-24T23:37:13.4311073Z |
| 105 | 2022-03-30T06:33:58.9259576Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 57 | 105 | 2022-03-30T06:33:58.9259576Z |
| 105 | 2022-03-30T06:33:58.9259576Z | 0 | 2022-03-24T00:00:00Z | 2022-03-31T00:00:00Z | 68 | 105 | 2022-03-30T01:17:29.13968Z |
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
BigQuery Scheduled queries only on working days
How to aggregate data by counting days in date?
Kusto / Azure Data Explorer - Distinct count in kusto queries
Select data where Datetime is less than 30 days Cosmos Db
BigQuery: Split monthly data into days
Intermittent error 'This node is not ready to answer queries yet' in Azure Data Explorer (kusto)
Flutter: counter of series days, counter of days entry
How to get expired table data in bigquery, If the expired time is more than two days?
How to generate a minute level time range for last 10 days in BigQuery?
How to manually trigger a cloudwatch rule with ScheduleExpression(10 days)
Related Tags