KQL Search

Query Details

HomeAI ToolsDevice Query

Noise Heartbeat Frequency

Query

// Heartbeat Over-Reporting - Frequency Analysis
// Default heartbeat interval is 60 seconds. Machines reporting faster
// or with redundant agents (MMA + AMA) waste ingestion.
// =====================================================================

let _Window = 1d;
Heartbeat
| where TimeGenerated > ago(_Window)
| summarize 
    HeartbeatCount = count(),
    DistinctCategories = dcount(Category),
    Categories = make_set(Category),
    AgentVersions = make_set(Version),
    OSTypes = make_set(OSType)
    by Computer
| extend 
    ExpectedDaily = 1440,  // 60-sec interval = 1440/day
    ExcessHeartbeats = HeartbeatCount - 1440,
    OverReportPct = round((toreal(HeartbeatCount) - 1440.0) / 1440.0 * 100, 1)
| extend
    Issue = case(
        array_length(Categories) > 1, strcat("DUPLICATE AGENT: ", tostring(Categories), " - Remove redundant agent"),
        HeartbeatCount > 2880, "EXCESSIVE: >2x expected - Check heartbeat interval config",
        HeartbeatCount > 1800, "HIGH: >25% over expected - Review agent config",
        HeartbeatCount < 1000, "LOW: <70% expected - Agent may be intermittent",
        "NORMAL"
    ),
    WastedBytes = iff(HeartbeatCount > 1440, (HeartbeatCount - 1440) * 600, 0)  // ~600 bytes per heartbeat
| where Issue != "NORMAL"
| extend WastedMBDaily = round(toreal(WastedBytes) / 1024.0 / 1024.0, 3)
| project 
    Computer, 
    HeartbeatCount, ExpectedDaily, ExcessHeartbeats, OverReportPct,
    Categories, AgentVersions, 
    Issue, WastedMBDaily
| order by HeartbeatCount desc
| take 50

Explanation

This query is designed to analyze and identify computers that are over-reporting heartbeats, which can lead to unnecessary data ingestion and potential costs. Here's a simple breakdown of what the query does:

  1. Time Frame: It looks at heartbeat data from the last day (1d).

  2. Data Collection: For each computer, it counts the number of heartbeats received, identifies distinct categories, versions, and operating system types.

  3. Expected vs. Actual: It calculates the expected number of heartbeats per day (1440, assuming a 60-second interval) and compares it to the actual count to find any excess.

  4. Issue Identification: It categorizes computers based on their heartbeat reporting:

    • Duplicate Agent: If multiple categories are detected, suggesting redundant agents.
    • Excessive Reporting: If the heartbeat count is more than twice the expected.
    • High Reporting: If the count is more than 25% over the expected.
    • Low Reporting: If the count is less than 70% of the expected, indicating possible issues.
    • Normal: If none of the above issues are detected.

  5. Data Waste Calculation: For computers with excessive heartbeats, it estimates the wasted data in megabytes.

  6. Output: It lists up to 50 computers with issues, sorted by the number of heartbeats, showing details like the number of heartbeats, expected count, excess heartbeats, percentage over the expected, categories, agent versions, identified issue, and wasted data in MB per day.

This helps in identifying and addressing configurations that lead to unnecessary data reporting and potential cost savings.

Details

David Alonso profile picture

David Alonso

Released: April 8, 2026

Tables

Heartbeat

Keywords

HeartbeatComputerCategoryVersionOSTypeAgent

Operators

let|where>agosummarizecountdcountmake_setbyextend=-roundtoreal*casearray_length>strcattostring<iff/projectorder bydesctake

Actions