How do I get one record per day for the last 30 days for each unique ID in Kusto?

Question

My data source is "Metadata". Each device has a unique ID, and can check in multiple times per day. I want to come up with a Kusto query that returns one record per day for the last 30 days for each deviceID. Here is my current formula:

Metadata
| project-rename['Metadata.deviceID']=deviceID, ['Metadata.appName']=appName, ['Metadata.appVersion']=appVersion, ['Metadata.timeZone']=timeZone
| where (dateTimeUtc >= __sql_substract(now(), 30))
| summarize   appName=max(['Metadata.appName']), deviceID=max(['Metadata.deviceID']), appVersion=max(['Metadata.appVersion']), timeZone=max(['Metadata.timeZone']) by bin(dateTimeUtc, 1d)
| project dateTimeUtc, appName, appVersion, timeZone, deviceID

This returns 1 record per day rather than 1 record per day per deviceID. If I remove bin() and just use "by dateTimeUtc", more than one record per deviceID per day is returned. How do I get one record per day for the last 30 days for each deviceID?

Answer 1

Would this get you the desired result?

(using arg_max(): https://docs.microsoft.com/en-us/azure/kusto/query/arg-max-aggfunction)

let Metadata = datatable(deviceID:string, appName:string, appVersion:string, timeZone:string, dateTimeUtc:datetime)
[
    "d1", "a1", "v1", "PST", datetime(2018-12-01 15:53),
    "d1", "a2", "v2", "PST", datetime(2018-12-01 12:01),
    "d1", "a1", "v3", "UTC", datetime(2018-12-03 16:47:22),
    "d1", "a2", "v4", "PST", datetime(2018-12-03 14:34:22),
    "d2", "a2", "v2", "UTC", datetime(2018-11-30 15:54:22),
    "d2", "a1", "v3", "PST", datetime(2018-11-30 14:53:22),
    "d2", "a2", "v4", "UTC", datetime(2018-12-01 15:52:22),
    "d2", "a1", "v1", "PST", datetime(2018-12-01 12:51:22)    
];
Metadata
| where dateTimeUtc between (datetime(2018-11-01 15:53) .. datetime(2018-12-05 15:53))
| summarize arg_max(dateTimeUtc, *) by deviceID, startofday(dateTimeUtc)
| project-away dateTimeUtc1

Results in these results: