If you need to get information about the size of billable data ingested into given Log Analytics workspace (with or without Sentinel solution installed), use the following KQL query:
//configure lookback period
let lookback = 90d;
Usage
//include only billable data and remove current day in time filter
| where TimeGenerated between(ago(lookback)..now(-1d)) and IsBillable == true
| project TimeGenerated, Quantity
//create series representing data ingested per day (converted from MB to GB, change divisor to 1024 if you prefer binary definition of gigabyte (GiB))
| make-series DailyIngestionGB=sum(Quantity/1000) default=0 on TimeGenerated step 1d
//calculate moving average with FIR function using fixed size filter (5) of equal coefficients
| extend MovingAvg = series_fir(DailyIngestionGB,repeat(1, 5))
| project TimeGenerated, DailyIngestionGB, MovingAvg
//render on a line graph, X-axis represent time points, Y-axes represent sum of ingested data in a given day and calculated moving average per that day
| render timechart with (xtitle = "Date", ytitle = "Ingested data (GB)")
As an output you will receive line chart with two Y-axes lines representing:
- Sum of ingested, billable data in a given day.
- Moving average calculated using series_fir() (finite impulse response) function. Series_fir() calculates rolling average over a constant time window (one day in this case) on the input dataset. Using moving average enables you to see the trend more clearly by filtering out the noise from ingestion fluctuations (e.g. on the weekends).
Helpful sources
All work is licensed under a Creative Commons Attribution 4.0 International License.
