This query below while testing in log analytics workspace gives no records in output. However, when deployed in prod environment ie. when alert is activated it creates alert incidents. When I run the exact query with same timestamp as that of prod run, no output gets displayed. What could be the reason for it and what could be a possible fix?

I tried converting any datetime field to datetime via todatetime() but to no avail.

Description

I was running a query wherein I built a custom table containing 2 columns ie. trigger name and expected trigger date. The second table is that of Log Analytics’s ADFTriggerRun table. I was trying to do an left-anti join on the identity field which is concatenation of trigger name and trigger scheduled time for ExpectedTriggers table and concatenation of trigger name and actualTriggerTime.

‘trigger_a’ exists in my adf and hence no results are output ideally unless there the trigger has been missed.

// query to check for any missing triggers in adf
let currentDateTime = now();
let trigger_list=pack_array("trigger_a");
let year = datetime_part("year", currentDateTime);
let month = datetime_part("month", currentDateTime);
let day = datetime_part("day", currentDateTime);
let hour = datetime_part("hour", currentDateTime);
let minute_00 = "00";
let newCurrentDateTime = todatetime(strcat(month, '/', day, '/', year, ' ', hour, ':', minute_00));
let lookback_interval = 1h;
let scheduledStartTime = newCurrentDateTime - lookback_interval;
//to round of actual time if any small deviation in range of a minute
let roundToMinute = (timestamp: datetime) {
    let secondPart = datetime_part("second", timestamp);
    bin(datetime_add('minute', iff(secondPart / 10 >= 1, 1, 0), timestamp), 1m)
};
//creates a table for trigger_a as one and timestamps every 15mins for a particular hour
let ExpectedTriggers = range StartTime from scheduledStartTime to newCurrentDateTime - 15m step 15m
    | extend expectedTriggerTime = todatetime(StartTime)
    | extend Title = strcat("Missed Triggers for ADF at Trigger Time: ", expectedTriggerTime)
    | project 
        TriggerName = trigger_list[0],
        expectedTriggerTime,
        identity = strcat(trigger_list[0], "-", expectedTriggerTime),
        Title;
//filters a small amount of data from prexisting log analytics table
let ActualTriggerRuns =
    ADFTriggerRun
    | where TriggerName in (trigger_list)
    | extend actualTriggerTime = roundToMinute(Start)
    | project
        actualTriggerTime,
        identity = strcat(TriggerName, "-", actualTriggerTime),
        TriggerName;
ExpectedTriggers
| join kind = leftanti (
    ActualTriggerRuns
    | where actualTriggerTime >= scheduledStartTime and actualTriggerTime < scheduledStartTime + lookback_interval)
    on identity
| project 
    Title,
    TriggerName,
    expectedTriggerTime,
    identity