Query Details
EP Sper Table
Query
//Average EPS for a table. Change the tablename let bytes_ = 500; SecurityEvent | where TimeGenerated > startofday(ago(1d)) | summarize count() by bin(TimeGenerated, 1m) | extend EPS = count_ /60 |summarize avg(EPS), estimatedGBytes = (avg(EPS) * bytes_ ) / (1024*1024*1024) | sort by toint(estimatedGBytes) desc
Explanation
This query calculates the average EPS (Events Per Second) for a table. It filters the SecurityEvent table for events generated in the last 24 hours, groups them by minute, and calculates the EPS by dividing the count of events by 60. It then calculates the average EPS and estimates the amount of data generated in gigabytes based on a given byte size. Finally, it sorts the results in descending order based on the estimated gigabytes.
Details
Rod Trent
Released: July 19, 2023
Tables
SecurityEvent
Keywords
Average,EPS,Table,Tablename,Bytes,SecurityEvent,TimeGenerated,Startofday,Ago,Count,Bin,Extend,Summarize,Avg,EstimatedGBytes,Sort,Toint,Desc
Operators
wheresummarizebybinextendavgestimatedGBytessorttointdesc