Data ingestion for Specific data/ specific time period data in table.

94554605 40 Reputation points
2024-03-28T08:22:59+00:00

In azure sentinel I can calculate data ingestion for whole table but is there any way through which I can calculate specific size of data.
Ex : In azure table how much data ingested in last 1 hour.

Something like

Search criteria & then calculation of displayed data in terms of ingestion.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
976 questions
0 comments
Accepted answer
  1. Clive Watson 5,711 Reputation points MVP
    2024-03-28T13:30:22.3633333+00:00

    You had most of it, you just needed _BilledSize e.g.

    User's image

    SecurityEvent 
| where TimeGenerated > ago(4h)
| where EventID == "4688"
| summarize bytes_=sum(_BilledSize), GBytes=sum(_BilledSize)/(1024*1024*1024)

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Givary-MSFT 27,966 Reputation points Microsoft Employee
    2024-03-28T10:36:48.74+00:00

    @94554605 Thank you for reaching out to us, As I understand you are looking for data ingestion for Specific data/ specific time period data in table.

    As far i am aware this can achieved by KQL using ingestion_time() and Timegenerated function.

    Came across this query (not tested) see if this helps

    SecurityEvent

    | where TimeGenerated >= ago(1h)  // Filter events from the last hour

    | extend IngestionDelay = ingestion_time() - TimeGenerated  // Calculate ingestion delay

    | summarize TotalEvents = count() by TableName, IngestionDelay  // Count events per table and delay

    | project TableName, TotalEvents, IngestionDelay

    Let me know if you have any further questions, feel free to post back.