KQL Search

Query Details

HomeAI ToolsDevice Query

Data Ingest Estimation

Query

//This solution looks at the average size per record in a table, then take that number and apply it to the logs you want to ingest.


//Average size per record. Run this in Log Analytics.

let TotalSizeInKb = toscalar( Usage
| where TimeGenerated >= ago(30d)
| summarize TotalSizeInKb=sum(Quantity*1024) by DataType
| where DataType == "DeviceEvents"
| project TotalSizeInKb
);
let NumOfRecords = toscalar( DeviceEvents
| where TimeGenerated >= ago(30d)
| summarize NumOfRecords=count() 
);
let AvgSizeInKb = todecimal(TotalSizeInKb / NumOfRecords);
print AvgSizePerRecordInKb=AvgSizeInKb

//Take the above number and apply to the total records for the sources you want to ingest. The following example is for Defender for Endpoint. Run it in the Advanced Hunthing area at security.microsoft.com 

DeviceEvents
| union DeviceFileEvents, DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceNetworkEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceFileCertificateInfo
| count


//Using the estimate_data_size to get Log sizes for Defender for Endpoint
DeviceEvents
| union DeviceFileEvents, DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceNetworkEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, DeviceFileCertificateInfo
| project size = estimate_data_size(*)
| summarize TableSizeInMB = sum(size)/1000/1000

Explanation

The query calculates the average size per record in a table and then applies that average size to the logs you want to ingest. It first calculates the total size in kilobytes for a specific data type in the past 30 days. Then, it calculates the number of records for that data type in the same time period. By dividing the total size by the number of records, it obtains the average size per record. The result is printed as AvgSizePerRecordInKb.

To apply this average size to the total records for the sources you want to ingest, you can use the second part of the query. It combines multiple tables and counts the total number of records. This can be used to estimate the log sizes for Defender for Endpoint. The result is the total count of records for the specified sources.

Details

Rod Trent profile picture

Rod Trent

Released: October 14, 2021

Tables

DeviceEventsDeviceFileEventsDeviceInfoDeviceNetworkInfoDeviceProcessEventsDeviceNetworkEventsDeviceRegistryEventsDeviceLogonEventsDeviceImageLoadEventsDeviceFileCertificateInfo

Keywords

Devices,Intune,User

Operators

toscalarUsagewhereTimeGeneratedagosummarizesumbyDataTypeprojectcounttodecimalprintunionDeviceFileEventsDeviceInfoDeviceNetworkInfoDeviceProcessEventsDeviceNetworkEventsDeviceRegistryEventsDeviceLogonEventsDeviceImageLoadEventsDeviceFileCertificateInfoestimate_data_sizeTableSizeInMB

Actions