0

I need to run a very simple query

requests | where cloud_RoleName == "blabla" | summarize Count=count() by url | order by Count desc

only thing i need to get the data just from the past 5 minutes if i try this :

requests | where timestamp < ago(5m) | where cloud_RoleName == "blabla" | summarize Count=count() by url | order by Count desc

or this

requests | where cloud_RoleName == "blabla" and timestamp < ago(5m) | summarize Count=count() by url | order by Count desc

but all of them are returning answers with data older than 5 minutes. ive read the doc and i see no other way of writing this query

can anyone assist?

Improve this question
2
  • 3
    Should it be timestamp > ago(5m)? I mean if ago(5m) returns the timestamp from 5 minutes ago, you'd want the ones with a timestamp greater than that. Commented Jan 5, 2022 at 10:30
  • omg ... yes :o , thank you Commented Jan 5, 2022 at 10:34

1 Answer 1

Reset to default
3

Make sure to check if the timestamp is greater than the result of ago(). It returns the timestamp from e.g. 5 minutes ago, so if you want the data that is within last 5 minutes, you want the ones with a timestamp higher than that.

So the query should be:

requests | where timestamp > ago(5m) | where cloud_RoleName == "blabla" | summarize Count=count() by url | order by Count desc
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.