How to write a Kusto query to get previous month logs in sentinel?

Question

| where TimeGenerated > ago(30d) only gives me the last 30 days logs and I'm searching for a query to get previous month logs from a table, so I can export it directly into Power BI.

If the answer below answers your question, please accept it by clicking the "V" icon. If you're still missing info, please add a comment elaborating what info you need. Thanks. — Slavik N, Oct 26 '21 at 06:53

Ken W - Zero Networks · Accepted Answer · 2021-10-01T18:00:15.460

1

Here is how you can do it below. I am showing two ways. The 'easy' way is to just hand jam the dates in for the month. The harder way requires you to use the make_datetime function.

// The Easy 'Manual' Way
AuditLogs
| where TimeGenerated >= datetime('2021-08-01') and TimeGenerated <= datetime('2021-08-31')
// Automated Way
let lastmonth = getmonth(datetime(now)) -1;
let year = getyear(datetime(now)); 
let monthEnd = endofmonth(datetime(now),-1); 
AuditLogs
| where TimeGenerated >= make_datetime(year,lastmonth,01) and TimeGenerated <= monthEnd

https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/make-datetimefunction

edited Oct 01 '21 at 18:00

answered Sep 13 '21 at 19:02

Ken W - Zero Networks

3,533
1
13
18

came up with an issue, this works only for 31 days months :/ – St Online Oct 01 '21 at 14:43
fixed this issue by using the `endofmonth()` function. – Ken W - Zero Networks Oct 01 '21 at 18:00
I don't think this will work for for query's executed in January where you need the data of December last year not current year – markbeij Sep 28 '22 at 08:56

score 0 · Answer 2 · answered Jul 25 '22 at 04:00

Just wanted to add on to @Ken W MSFT's great query, by suggesting this for the automation

let time_start = startofmonth(datetime(now), -1); let time_end = endofmonth(datetime(now),-1); AuditLogs | where TimeGenerated between (time_start .. time_end)

How to write a Kusto query to get previous month logs in sentinel?

2 Answers2