This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 8%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGP%3C/text%3E%3C/svg%3E)
Hello,
I'm working on a playbook to report on zero events from CAPAMAuditLog.The query below looks in the CAPAMAuditLog table and provides the count of events for the last 2 hours excluding Saturday and Sunday.
I also want to include only office hours(9am-6pm) in the query. How can I best achieve this?
Thank you!
let Saturday = time(6.00:00:00);
let Sunday = time(0.00:00:00);
CAPAMAuditLog
| where TimeGenerated > ago(2h)
| where dayofweek(TimeGenerated) != Saturday
| where dayofweek(TimeGenerated) != Sunday
| count
Add an extra filter:
| where datetime_part("hour", TimeGenerated) between (9 .. 18)
I have a playbook scheduled to run every 30mins.
Does the below makes sense now? or shall I remove the line | where TimeGenerated > ago(2h)
let Saturday = time(6.00:00:00);
let Sunday = time(0.00:00:00);
CAPAMAuditLog
| where TimeGenerated > ago(2h)
| where dayofweek(TimeGenerated) != Saturday
| where dayofweek(TimeGenerated) != Sunday
| where datetime_part("hour", TimeGenerated) between (9 .. 18)
| count
asdfdaf