![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(259.20000000000005, 12%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
508 questions
Hello @ADX ,
Thanks for the question and using MS Q&A platform.
You can make a cross join and then summarize over the "smallest greater TimeStamp" as shown below:
let test = datatable(AlarmCode:int, TimeStamp:datetime, Description:string)
[
4, datetime(2022-04-04,09:09:10), "Smoke Detected",
1, datetime(2022-04-04,09:10:10), "Sensor activated for too long",
0, datetime(2022-04-04,09:12:10), "OK",
2, datetime(2022-04-04,10:20:10), "Weight on the scale",
1, datetime(2022-04-04,10:20:10), "Sensor activated for too long",
0, datetime(2022-04-04,10:20:25), "OK"
];
test
| where Description != 'OK'
| extend _key = 1
| join kind=inner (
test
| where Description == 'OK'
| extend _key = 1
) on _key
| where TimeStamp1 > TimeStamp
| summarize arg_min(TimeStamp1, *) by AlarmCode,TimeStamp
| project AlarmCode, TimeStamp, Description, AlarmStartTime=TimeStamp, ResetTime=TimeStamp1
By using the above code, you will get expected output format:
Hope this will help. Please let us know if any further queries.
------------------------------
- Please don't forget to click on
or upvote 
button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how - Want a reminder to come back and check responses? Here is how to subscribe to a notification
- If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators