I'd like to look at the app gateway 500 error logs over the last x number of days. But for those x number of days, I'd only like to see the logs that came in between 11:00 and 13:00 UTC. How can I do this? Here's what I have so far but it's not working.
AzureDiagnostics
| where TimeGenerated > ago(7d) and TimeGenerated between (datetime(11:00:00) .. datetime(13:00:00))
| where ResourceType == "APPLICATIONGATEWAYS" and httpStatus_d > 499
| where host_s == "my.website.com"
| summarize count() by clientIP_s, bin(TimeGenerated, 5m)
Obviously the second like (Timegenerated) is wrong. Can someone please advise on how to do this?
Thanks!
You could use hourofday(): https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/hourofdayfunction
For example:
AzureDiagnostics
| where TimeGenerated > ago(7d)
| where hourofday(TimeGenerated) between (11 .. 12) // 11:00 AM -> 12:59 PM
| where host_s == "my.website.com"
| where ResourceType == "APPLICATIONGATEWAYS"
| where httpStatus_d > 499
| summarize count() by clientIP_s, bin(TimeGenerated, 5m)