ago()
Subtracts the given timespan from the current UTC time.
Like now(), if you use ago() multiple times in a single query statement, the current UTC time
being referenced will be the same across all uses.
Syntax
ago(timespan)
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| timespan | timespan | ✓ | The interval to subtract from the current UTC clock time now(). |
Returns
A datetime value now() - a_timespan
Example
All rows with a timestamp in the past hour:
T | where Timestamp > ago(1h)