How to Query with TimeRange Log Analytics

%3CLINGO-SUB%20id%3D%22lingo-sub-2394007%22%20slang%3D%22en-US%22%3EHow%20to%20Query%20with%20TimeRange%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2394007%22%20slang%3D%22en-US%22%3E%3CP%3EHello!%2C%20im%20doing%20a%20query%20to%20log%20analytics%20to%20pass%20the%20data%20to%20a%20PowerApps%2C%26nbsp%3B%3C%2FP%3E%3CP%3Ein%20the%20Flow%20i%20call%20to%20the%20api%20of%20sentinel%20and%20i%20get%20the%20entities%2C%20i%20get%20the%20query%20(is%20dynamically%20never%20the%20same%20query)%20and%20i%20get%20the%20time%20range%20like%20this%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%22additionalData%22%3A%20%7B%0A%20%20%20%20%20%20%22ProcessedBySentinel%22%3A%20%22True%22%2C%0A%20%20%20%20%20%20%22Search%20Query%20Results%20Overall%20Count%22%3A%20%223%22%2C%0A%20%20%20%20%20%20%22Query%20Start%20Time%20UTC%22%3A%20%222021-05-27T19%3A22%3A07Z%22%2C%0A%20%20%20%20%20%20%22Query%20End%20Time%20UTC%22%3A%20%222021-05-27T20%3A22%3A07Z%22%2C%0A%20%20%20%20%20%20%22Analytic%20Rule%20Name%22%3A%20%22Conexiones%20RDP%20no%20comunes%22%2C%0A%20%20%20%20%20%20%22Analytic%20Rule%20Ids%22%3A%20%22%5B%5C%22%5C%22%5D%22%2C%0A%20%20%20%20%20%20%22Trigger%20Threshold%22%3A%20%220%22%2C%0A%20%20%20%20%20%20%22Trigger%20Operator%22%3A%20%22GreaterThan%22%2C%0A%20%20%20%20%20%20%22Event%20Grouping%22%3A%20%22SingleAlert%22%2C%0A%20%20%20%20%20%20%22Query%20Period%22%3A%20%2201%3A00%3A00%22%2C%0A%20%20%20%20%20%20%22Data%20Sources%22%3A%20%22%5B%5C%22logazsentinel%5C%22%5D%22%2C%0A%20%20%20%20%20%20%22Query%22%3A%20%22%20QUERY%22%2C%0A%20%20%20%20%20%20%22Total%20Account%20Entities%22%3A%20%223%22%2C%0A%20%20%20%20%20%20%22Total%20IP%20Entities%22%3A%20%222%22%2C%0A%20%20%20%20%20%20%22Total%20Host%20Entities%22%3A%20%222%22%0A%20%20%20%20%7D%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3EThe%20data%20what%20i%20need%20is%20between%20this%20time%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%22Query%20Start%20Time%20UTC%22%3A%20%222021-05-27T19%3A22%3A07Z%22%2C%0A%22Query%20End%20Time%20UTC%22%3A%20%222021-05-27T20%3A22%3A07Z%22%2C%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3Band%20im%20calling%20the%20query%20like%20this%3A%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22madmvx_0-1622155133640.png%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F284477i69614995DCA65F0B%2Fimage-size%2Fmedium%3Fv%3Dv2%26amp%3Bpx%3D400%22%20role%3D%22button%22%20title%3D%22madmvx_0-1622155133640.png%22%20alt%3D%22madmvx_0-1622155133640.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3EI%20check%20in%20the%20documentation%20and%20just%20i%20can%20query%20with%20the%20timespan%3C%2FP%3E%3CP%3Ethe%20timespan%2C%20just%20get%20me%20the%20results%20from%20the%20current%20time%20minus%20the%20hours%20especified%20like%3C%2FP%3E%3CP%3Eis%205%3A40%20PM%20and%20i%20put%20PT1H30M%20i%20get%20the%20results%20from%205%3A40PM%20to%204%3A10PM%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eso%20the%20question%20i%20have%3A%20is%20posible%20to%20do%20something%20like%3A%20timespan%3A%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%22timespan%22%3A%222021-05-27T19%3A22%3A07Z%22%20betwenn%20%222021-05-27T20%3A22%3A07Z%22%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F419776%22%20target%3D%22_blank%22%3E%40Chi_Nguyen%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-2394007%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EKQL%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Analytics%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EQuery%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Etime%20stamp%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2394233%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Query%20with%20TimeRange%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2394233%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1053339%22%20target%3D%22_blank%22%3E%40madmvx%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22VIiyi%22%3E%3CSPAN%20class%3D%22JLqJ4b%20ChMk0b%22%3E%3CSPAN%3ETry%20adding%20the%20following%20to%20the%20top%20of%20the%20KQL%3A%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Eset%20query_datetimescope_from%20%3D%20datetime(2021-05-27T19%3A22%3A07Z)%3B%0Aset%20query_datetimescope_to%20%3D%20datetime(2021-05-27T20%3A22%3A07Z)%3B%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2394237%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Query%20with%20TimeRange%20Log%20Analytics%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2394237%22%20slang%3D%22en-US%22%3ENot%20working%2C%20ir%20gives%20all%20items%20from%20last%207%20days%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E
New Contributor

Hello!, im doing a query to log analytics to pass the data to a PowerApps, 

in the Flow i call to the api of sentinel and i get the entities, i get the query (is dynamically never the same query) and i get the time range like this:

 

"additionalData": {
      "ProcessedBySentinel": "True",
      "Search Query Results Overall Count": "3",
      "Query Start Time UTC": "2021-05-27T19:22:07Z",
      "Query End Time UTC": "2021-05-27T20:22:07Z",
      "Analytic Rule Name": "Conexiones RDP no comunes",
      "Analytic Rule Ids": "[\"\"]",
      "Trigger Threshold": "0",
      "Trigger Operator": "GreaterThan",
      "Event Grouping": "SingleAlert",
      "Query Period": "01:00:00",
      "Data Sources": "[\"logazsentinel\"]",
      "Query": " QUERY",
      "Total Account Entities": "3",
      "Total IP Entities": "2",
      "Total Host Entities": "2"
    }

The data what i need is between this time 

"Query Start Time UTC": "2021-05-27T19:22:07Z",
"Query End Time UTC": "2021-05-27T20:22:07Z",

 and im calling the query like this:

madmvx_0-1622155133640.png

I check in the documentation and just i can query with the timespan

the timespan, just get me the results from the current time minus the hours especified like

is 5:40 PM and i put PT1H30M i get the results from 5:40PM to 4:10PM

 

so the question i have: is posible to do something like: timespan: 

"timespan":"2021-05-27T19:22:07Z" betwenn "2021-05-27T20:22:07Z"

 

@Chi_Nguyen 

3 Replies

@madmvx 

Try adding the following to the top of the KQL:

 

set query_datetimescope_from = datetime(2021-05-27T19:22:07Z);
set query_datetimescope_to = datetime(2021-05-27T20:22:07Z);

 

Not working, ir gives all items from last 7 days
Please attach a screen capture of the modified "GetAnalyticsTable" connector .
www.000webhost.com