Query Details
Data Calculate Percentageper Table
Query
//Calculate the percentage that each table in your Sentinel workspace is contributing to total ingestion for billable data
//Data connector required for this query - Usage (generated automatically on a log analytics workspace)
Usage
| where TimeGenerated > ago(30d)
| where IsBillable == "true"
| summarize ['Table size in GB']=sum(Quantity / 1024) by DataType
| as T
| extend Percentage = round(100.0 * ['Table size in GB'] / toscalar (T
| summarize sum(['Table size in GB'])), 2)
| project-reorder DataType, ['Table size in GB'], Percentage
| sort by Percentage desc
Explanation
This query calculates the percentage of data ingestion contributed by each table in your Sentinel workspace. It filters the usage data for the past 30 days and only includes billable data. It then calculates the size of each table in gigabytes and calculates the percentage it contributes to the total size of all tables. The results are sorted in descending order of percentage.
Details
Matt Zorich
Released: November 4, 2022
Tables
Usage
Keywords
Usage,TimeGenerated,IsBillable,DataType,Quantity,T,Percentage
Operators
|,where,TimeGenerated,>,ago,30d,IsBillable,==,"true",summarize,['Table size in GB'],=,sum,(/,Quantity,1024),by,DataType,as,T,extend,Percentage,=,round,(100.0,*,['Table size in GB'],/,toscalar,(T,|,summarize,sum,['Table size in GB'])),2,project-reorder,DataType,['Table size in GB'],Percentage,sort,by,Percentage,desc