Using azure data explorer https://dataexplorer.azure.com/ I ran both queries below.
First Query (Total Count):
AppRequests | where TimeGenerated >= datetime("2024-03-28") and TimeGenerated < datetime("2024-03-29") | count
In this query, we directly count all records without any summarization. It provides the total count of events within the specified time range.
Second query:
AppRequests
| where TimeGenerated >= datetime("2024-03-28") and TimeGenerated < datetime("2024-03-29")
In this corrected query, we filter AppRequests based on the same time range as the first query without any summarization.
I would expect that the total number of records off the 2nd query match the resultset of the first query. Yet I have a difference. The first query gets a total number above 80k while the 2nd query get me about 35k records.
How is this possible?
when breaking down that query per hour instead AppRequests | where TimeGenerated >= datetime("2024-03-28 17:00:00") and TimeGenerated < datetime("2024-03-28 17:59:59")
and so forth, I had a match when adding the count pipe.