KQL Search

Query Details

HomeAI ToolsDevice Query

Average Daily Ingestion Per Table And Plan

Query

# Average Daily Ingestion per Table and Plan

# Description

The following query calculates the average daily ingestion for each table and plan over the last Timeframe of days as defined in the let statement. It also allows you to define the size of fractional part to fit your need and attention to detail. This query help baseline normal usage and identify outliers.

### Microsoft Sentinel
```
let Timeframe = 30d; // Define the required Timeframe
let decfra = 2; // Determine the size of fractional part to fit your need
Usage
| where TimeGenerated >= startofday(ago(Timeframe))
| where IsBillable == true
| summarize DailyGB = sum(Quantity) / 1000.0 by bin(TimeGenerated, 1d), DataType, Plan
| summarize AvgDailyGB = round(avg(DailyGB), decfra) by DataType, Plan
| order by AvgDailyGB desc
```

### Versioning
| Version       | Date          | Comments                               |
| ------------- |---------------| ---------------------------------------|
| 1.0           | 17/05/2026    | Initial publish                        |

Explanation

This query is designed to calculate the average daily data ingestion for each table and plan over a specified period, which is set to 30 days by default. It focuses on billable data and helps establish a baseline for normal usage while identifying any unusual patterns or outliers.

Here's a simple breakdown of what the query does:

  1. Timeframe Definition: It sets a period of 30 days to look back from the current date to analyze data ingestion.

  2. Fractional Precision: It allows you to specify how many decimal places you want in the results, with a default of 2 decimal places.

  3. Data Filtering: It filters the data to include only those records that are billable and have been generated within the last 30 days.

  4. Daily Ingestion Calculation: It calculates the total data ingested each day (in gigabytes) for each data type and plan.

  5. Average Calculation: It computes the average daily ingestion over the specified timeframe for each data type and plan, rounding the result to the specified number of decimal places.

  6. Ordering Results: Finally, it sorts the results in descending order based on the average daily ingestion, so you can easily see which tables and plans have the highest average ingestion.

This query is useful for monitoring and managing data usage, ensuring that you can quickly spot any deviations from typical patterns.

Details

Michalis Michalos profile picture

Michalis Michalos

Released: May 17, 2026

Tables

Usage

Keywords

UsageDataTypePlanTimeGeneratedQuantity

Operators

letwherestartofdayagosummarizesumbinroundavgorder by

Actions