Skip to content

Latest commit

 

History

History
37 lines (30 loc) · 2.41 KB

AzureInfra-CalculateIngestedData.md

File metadata and controls

37 lines (30 loc) · 2.41 KB

Log Analytics - calculate daily ingested data with moving average

If you need to get information about the size of billable data ingested into given Log Analytics workspace (with or without Sentinel solution installed), use the following KQL query:

//configure lookback period
let lookback = 90d;
Usage
//include only billable data and remove current day in time filter
| where TimeGenerated between(ago(lookback)..now(-1d)) and IsBillable == true
| project TimeGenerated, Quantity
//create series representing data ingested per day (converted from MB to GB, change divisor to 1024 if you prefer binary definition of gigabyte (GiB))
| make-series DailyIngestionGB=sum(Quantity/1000) default=0 on TimeGenerated step 1d
//calculate moving average with FIR function using fixed size filter (5) of equal coefficients
| extend MovingAvg = series_fir(DailyIngestionGB,repeat(1, 5))
| project TimeGenerated, DailyIngestionGB, MovingAvg
//render on a line graph, X-axis represent time points, Y-axes represent sum of ingested data in a given day and calculated moving average per that day
| render timechart with (xtitle = "Date", ytitle = "Ingested data (GB)")

As an output you will receive line chart with two Y-axes lines representing:

  • Sum of ingested, billable data in a given day.
  • Moving average calculated using series_fir() (finite impulse response) function. Series_fir() calculates rolling average over a constant time window (one day in this case) on the input dataset. Using moving average enables you to see the trend more clearly by filtering out the noise from ingestion fluctuations (e.g. on the weekends).

347875709-e8a0f13e-a555-425a-b03f-8ebdf22c56d8

Helpful sources


All work is licensed under a Creative Commons Attribution 4.0 International License.

CC BY 4.0