Share via

Time range (for last month) in Kusto Query language in Logs Analytics Workspace

Varun Kalia 0 Reputation points
2025-02-13T05:54:00.9966667+00:00

Hi,

We use Log Analytics Workspace to collect logs for our customer tenants under a resource hosted in Azure. Previously we would select Time Range feature to select the hits per tenant for the last calendar month and I was looking to set it in the query.

When I set it in the query with the following syntax, the result is double of what I received while using Time Range-

let lastmonth = getmonth(datetime(now)) -1;
let monthEnd = endofmonth(datetime(now),-1); 
AuditLogs
| where TimeGenerated >= make_datetime(lastmonth) and TimeGenerated <= monthEnd

Could someone please review this and let me know what could be the issue?

Appreciate your assistance.

Kind regards.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,469 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,415 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,705 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Deepanshu katara 13,840 Reputation points MVP
    2025-02-13T06:41:30.0633333+00:00

    Hello Varun , Welcome to MS Q&A

    When using Log Analytics Workspace, if your query returns double the results compared to using the Time Range feature, it might be due to how the query is structured. If the time filter is applied after a union of several tables, the query may scan all the data instead of just the specified time range, leading to more records than expected.

    To ensure the query only processes the relevant records, apply the time filter within each subquery before performing the union. This way, the query will only consider data from the specified time frame, preventing the retrieval of additional records.

    For more detailed guidance, you can refer to the following resources:

    Please let us know if any further questions

    Kindly accept if it helps

    Thanks
    Deepanshu

    0 comments
  2. Vinod Pittala 240 Reputation points Microsoft Vendor
    2025-02-13T23:47:49.6566667+00:00

    Hello Varun Kalia,

    Try out running the below Kusto query.

    It will retrieve audit logs from the beginning of the previous month to the start of the current month.

    AuditLogs
| where TimeGenerated >= startofmonth(datetime_add('month', -1, now())) and TimeGenerated < startofmonth(now())

    Hope this helps!

    Please reply if there are any challenges.

    Please do not forget to "Accept the answer” and “upvote it” wherever the information provided helps you, this can be beneficial to other community members.it would be greatly appreciated and helpful to others.

    Thanks

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.