Fabric RTI 101: Working with Time Series in KQL

Fabric RTI 101: Working with Time Series in KQL

In KQL, time is one of the most important concepts — it’s central to how telemetry and log data are analyzed.

Most KQL datasets include a Timestamp column, and nearly every query begins by filtering to a specific time range.

You can do that using a where clause, such as:

| where Timestamp between (ago(1h) .. now())

This filters your events to just those that occurred within the last hour. It’s an efficient way to narrow down large datasets quickly.

Once you’ve filtered by time, you’ll often want to group events into time intervals to see trends. The bin() function does exactly that — it rounds timestamps to even intervals like 1 minute, 5 minutes, or 1 hour. For example:

| summarize AvgCPU = avg(CPUUsage) by bin(Timestamp, 1m)

This query calculates the average CPU usage for each one-minute window, which makes it easy to visualize how performance changes over time.

This process — grouping and aggregating by time — is what enables trend detection and anomaly analysis. Once you have data binned into intervals, you can compare current values against historical patterns to identify unusual behavior or predict what might happen next.

In other words, time-binning forms the foundation for advanced analytics in KQL — from simple moving averages to full-fledged forecasting. It’s one of the most powerful patterns in the language, and you’ll use it constantly when working with telemetry or streaming data.

Learn more about Fabric RTI

If you really want to learn about RTI right now, we have an online on-demand course that you can enrol in, right now. You’ll find it at Mastering Microsoft Fabric Real-Time Intelligence

2026-06-14