In Appinsigts, determine if the timestamp returned by a query is >24h ago

Question

I have a log sequence in Azure AppInsights that keeps log records from each run of a scheduled job.

In order to know when a job was last run, I use request as follows

customEvents
| where name == "Scheduled job started"  
| project source=strcat(tostring(customDimensions.prefix), "-", tostring(customDimensions.postfix)), timestamp
| summarize last_started=max(format_datetime(todatetime(timestamp),'yy-MM-dd HH:mm:ss')) by source
| order by last_started desc

so it gives me a table like

job0    20-08-11 13:40:06   
job1    20-08-11 13:35:06   
job2    20-08-11 13:15:06
...

Now, I need to create an alert for timestamps that are more than 24 hours in the past, that means, I would like to amend the query so that it only contains rows that have the timestamp more than 24h ago. Later, I am going to make an alert rule if there are any timestamps like that.

How can I achieve that?

Answer 1

try the ago operator:

customEvents
| where name == "Scheduled job started"  
| extend source=strcat(tostring(customDimensions.prefix), "-", tostring(customDimensions.postfix)), timestamp
| summarize last_started=max(format_datetime(todatetime(timestamp),'yy-MM-dd HH:mm:ss')), lastTimestamp = max(timestamp) by source
| where lastTimestamp < ago(1d)
| order by lastTimestamp desc
| project source, last_started 

as you can see the ago operator can help you here. Since that operator can only be used with datetime fields I had to select lastTimestamp as well, but it is filtered out in the projection.