Contribute in GitHub:
Edit online
ago()
Subtracts the given timespan from the current UTC time.
Like now(), if you use ago() multiple times in a single query statement, the current UTC time being referenced will be the same across all uses.
Syntax
ago(timespan)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| timespan | timespan | ✓ | The interval to subtract from the current UTC clock time now(). |
Returns
now() - a_timespan
Example
All rows with a timestamp in the past hour:
|events
| project original_time, data_source_name
| where original_time > ago(5m)
and data_source_name !contains_cs "ASA"
| summarize EventCount=count() by DataSourceName=data_source_name
| project DataSourceName, EventCount
| sort by EventCount
| take 10
Results
| DataSourceName | EventCount |
|---|---|
| CheckPointSource1 | 102394 |
| CheckPointSource2 | 101391 |