KQL Search

Query Details

HomeAI ToolsDevice Query

Ingestion Per Server

Query

// Data Ingestion per Server (Computer)
// Identifies the noisiest servers by total data ingestion across all tables.
// Use to find over-reporting machines, misconfigured agents, or decommissioned
// servers still sending data.
// =====================================================================

let Price = 3.0;
union withsource=TableName
    SecurityEvent, Syslog, Event, Heartbeat, CommonSecurityLog,
    Perf, ConfigurationData, WindowsFirewall
| where TimeGenerated > ago(7d)
| where isnotempty(Computer)
| summarize 
    TotalEvents = count(),
    SizeInMB = round(sum(estimate_data_size(*)) / 1000.0 / 1000.0, 2),
    Tables = make_set(TableName),
    TableCount = dcount(TableName),
    LastSeen = max(TimeGenerated)
    by Computer
| extend 
    SizeInGB = round(SizeInMB / 1024.0, 3),
    DailyAvgMB = round(SizeInMB / 7.0, 2),
    EstMonthlyCostUSD = round((SizeInMB / 1024.0 / 7.0) * 30 * Price, 2)
| project 
    Computer, SizeInGB, SizeInMB, DailyAvgMB,
    TotalEvents, TableCount, Tables,
    EstMonthlyCostUSD, LastSeen
| order by SizeInGB desc
| take 50

Explanation

This query is designed to identify the servers that are generating the most data across various tables over the past week. It helps in pinpointing servers that might be over-reporting, have misconfigured agents, or are decommissioned but still sending data. Here's a breakdown of what the query does:

  1. Data Source and Time Frame: It pulls data from several tables (like SecurityEvent, Syslog, Event, etc.) for the last 7 days.

  2. Filtering: It only considers records where the 'Computer' field is not empty.

  3. Aggregation: For each server (identified by 'Computer'), it calculates:

    • Total number of events.
    • Total data size in megabytes (MB) and gigabytes (GB).
    • A list of tables from which data was ingested.
    • The number of different tables contributing data.
    • The last time data was received from the server.

  4. Additional Calculations:

    • Average daily data size in MB.
    • Estimated monthly cost in USD for data ingestion, assuming a price of $3.00 per GB.

  5. Output: It displays the top 50 servers by data size in GB, showing details like the server name, data size, event count, table count, list of tables, estimated monthly cost, and the last time data was seen.

This query is useful for monitoring and managing data ingestion costs and identifying potential issues with server configurations.

Details

David Alonso profile picture

David Alonso

Released: April 8, 2026

Tables

SecurityEventSyslogEventHeartbeatCommonSecurityLogPerfConfigurationDataWindowsFirewall

Keywords

DataIngestionServerComputerTablesEventsSizeCost

Operators

letunionwithsourcewhereisnotemptysummarizecountsumestimate_data_sizeroundmake_setdcountmaxbyextendprojectorder bydesctake

Actions