Reputation: 87
How to write a Kusto query to get previous month logs in sentinel?
| where TimeGenerated > ago(30d)
only gives me the last 30 days logs and I'm searching for a query to get previous month logs from a table, so I can export it directly into Power BI.
Upvotes: 3
Views: 10234
Answers (2)
Reputation: 21
Just wanted to add on to @Ken W MSFT's great query, by suggesting this for the automation
let time_start = startofmonth(datetime(now), -1); let time_end = endofmonth(datetime(now),-1); AuditLogs | where TimeGenerated between (time_start .. time_end)
Upvotes: 2
Reputation: 3824
Here is how you can do it below. I am showing two ways. The 'easy' way is to just hand jam the dates in for the month. The harder way requires you to use the make_datetime function.
// The Easy 'Manual' Way
AuditLogs
| where TimeGenerated >= datetime('2021-08-01') and TimeGenerated <= datetime('2021-08-31')
// Automated Way
let lastmonth = getmonth(datetime(now)) -1;
let year = getyear(datetime(now));
let monthEnd = endofmonth(datetime(now),-1);
AuditLogs
| where TimeGenerated >= make_datetime(year,lastmonth,01) and TimeGenerated <= monthEnd
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-datetimefunction
Upvotes: 4
Related Questions
- Take output from query and use in subsequent KQL query
- Kusto: How to filter Logs in a certain time period?
- Multiple dates within KQL query
- Execute Kusto query present in the Table result
- Kusto query language - How to get exactly logs from previous day 7
- Kusto :How to query daily data to aggregate by Month and generate trends
- Azure Sentinel Kusto query table with data from another query
- Azure Log Analytics - KQL - query for getting year-to-date count
- Kusto query - how to get beginning datetime of current month
- How to get sum() by Column by Date in Kusto