Query Details
Ingestion Trend By Hour Of Day
Query
# Ingestion Trend by Hour of Day
# Description
The following query helps analyze ingestion patterns by hour to identify peak ingestion times for each plan. Query can be useful for capacity planning and detecting unusual activity windows.
### Microsoft Sentinel
```
let Timeframe = 7d; // Define the required Timeframe
Usage
| where TimeGenerated >= ago(Timeframe)
| where IsBillable == true
| extend Hour = datetime_part("hour", TimeGenerated)
| summarize IngestedGB = sum(Quantity) / 1000.0 by Hour, Plan
| evaluate pivot(Plan, sum(IngestedGB))
| order by Hour asc
| render columnchart
```
### Versioning
| Version | Date | Comments |
| ------------- |---------------| ---------------------------------------|
| 1.0 | 17/05/2026 | Initial publish |
Explanation
This query is designed to analyze data ingestion patterns by the hour over the past seven days. It helps identify peak times for data ingestion for different plans, which can be useful for capacity planning and spotting unusual activity periods. Here's a simple breakdown of what the query does:
-
Timeframe Definition: The query looks at data from the last seven days.
-
Data Filtering: It filters the data to include only records that are billable.
-
Hour Extraction: For each record, it extracts the hour from the timestamp when the data was generated.
-
Data Summarization: It calculates the total amount of data ingested (in gigabytes) for each hour and plan.
-
Data Pivoting: The data is reorganized to show the total ingested data for each plan by hour.
-
Sorting: The results are sorted by hour in ascending order.
-
Visualization: The final output is displayed as a column chart, making it easy to visualize the ingestion trends by hour.
This query is useful for understanding when the most data is ingested, which can help in planning for capacity and identifying any unusual patterns in data ingestion.
Details
Michalis Michalos
Released: May 17, 2026
Tables
Keywords
Operators