Azure Data Explorer data ingestion overview

Data ingestion is the process used to load data records from one or more sources to import data into a table in Azure Data Explorer. Once ingested, the data becomes available for query.

The diagram below shows the end-to-end flow for working in Azure Data Explorer and shows different ingestion methods.

Overview scheme of data ingestion and management

The Azure Data Explorer data management service, which is responsible for data ingestion, implements the following process:

Azure Data Explorer pulls data from an external source and reads requests from a pending Azure queue. Data is batched or streamed to the Data Manager. Batch data flowing to the same database and table is optimized for ingestion throughput. Azure Data Explorer validates initial data and converts data formats where necessary. Further data manipulation includes matching schema, organizing, indexing, encoding, and compressing the data. Data is persisted in storage according to the set retention policy. The Data Manager then commits the data ingest to the engine, where it's available for query.

Supported data formats, properties, and permissions

Batching vs streaming ingestion

  • Batching ingestion does data batching and is optimized for high ingestion throughput. This method is the preferred and most performant type of ingestion. Data is batched according to ingestion properties. Small batches of data are then merged, and optimized for fast query results. The ingestion batching policy can be set on databases or tables. By default, the maximum batching value is 5 minutes, 1000 items, or a total size of 1 GB.

  • Streaming ingestion is ongoing data ingestion from a streaming source. Streaming ingestion allows near real-time latency for small sets of data per table. Data is initially ingested to row store, then moved to column store extents. Streaming ingestion can be done using an Azure Data Explorer client library or one of the supported data pipelines.

Ingestion methods and tools

Azure Data Explorer supports several ingestion methods, each with its own target scenarios. These methods include ingestion tools, connectors and plugins to diverse services, managed pipelines, programmatic ingestion using SDKs, and direct access to ingestion.

Ingestion using managed pipelines

For organizations who wish to have management (throttling, retries, monitors, alerts, and more) done by an external service, using a connector is likely the most appropriate solution. Queued ingestion is appropriate for large data volumes. Azure Data Explorer supports the following Azure Pipelines:

Ingestion using connectors and plugins

Programmatic ingestion using SDKs

Azure Data Explorer provides SDKs that can be used for query and data ingestion. Programmatic ingestion is optimized for reducing ingestion costs (COGs), by minimizing storage transactions during and following the ingestion process.

Available SDKs and open-source projects

Tools

  • One click ingestion: Enables you to quickly ingest data by creating and adjusting tables from a wide range of source types. One click ingestion automatically suggests tables and mapping structures based on the data source in Azure Data Explorer. One click ingestion can be used for one-time ingestion, or to define continuous ingestion via Event Grid on the container to which the data was ingested.

  • LightIngest: A command-line utility for ad-hoc data ingestion into Azure Data Explorer. The utility can pull source data from a local folder or from an Azure blob storage container.

Kusto Query Language ingest control commands

There are a number of methods by which data can be ingested directly to the engine by Kusto Query Language (KQL) commands. Because this method bypasses the Data Management services, it's only appropriate for exploration and prototyping. Don't use this method in production or high-volume scenarios.

  • Inline ingestion: A control command .ingest inline is sent to the engine, with the data to be ingested being a part of the command text itself. This method is intended for improvised testing purposes.

  • Ingest from query: A control command .set, .append, .set-or-append, or .set-or-replace is sent to the engine, with the data specified indirectly as the results of a query or a command.

  • Ingest from storage (pull): A control command .ingest into is sent to the engine, with the data stored in some external storage (for example, Azure Blob Storage) accessible by the engine and pointed-to by the command.

Comparing ingestion methods and tools

Ingestion name Data type Maximum file size Streaming, batching, direct Most common scenarios Considerations
One click ingestion *sv, JSON 1 GB uncompressed (see note) Batching to container, local file and blob in direct ingestion One-off, create table schema, definition of continuous ingestion with event grid, bulk ingestion with container (up to 10,000 blobs) 10,000 blobs are randomly selected from container
LightIngest All formats supported 1 GB uncompressed (see note) Batching via DM or direct ingestion to engine Data migration, historical data with adjusted ingestion timestamps, bulk ingestion (no size restriction) Case-sensitive, space-sensitive
ADX Kafka
ADX to Apache Spark
LogStash
Azure Data Factory Supported data formats unlimited *(per ADF restrictions) Batching or per ADF trigger Supports formats that are usually unsupported, large files, can copy from over 90 sources, from on perm to cloud Time of ingestion
Azure Data Flow Ingestion commands as part of flow Must have high-performing response time
IoT Hub Supported data formats N/A Batching, streaming IoT messages, IoT events, IoT properties
Event Hub Supported data formats N/A Batching, streaming Messages, events
Event Grid Supported data formats 1 GB uncompressed Batching Continuous ingestion from Azure storage, external data in Azure storage 100 KB is optimal file size, Used for blob renaming and blob creation
.NET SDK All formats supported 1 GB uncompressed (see note) Batching, streaming, direct Write your own code according to organizational needs
Python All formats supported 1 GB uncompressed (see note) Batching, streaming, direct Write your own code according to organizational needs
Node.js All formats supported 1 GB uncompressed (see note Batching, streaming, direct Write your own code according to organizational needs
Java All formats supported 1 GB uncompressed (see note) Batching, streaming, direct Write your own code according to organizational needs
REST All formats supported 1 GB uncompressed (see note) Batching, streaming, direct Write your own code according to organizational needs
Go All formats supported 1 GB uncompressed (see note) Batching, streaming, direct Write your own code according to organizational needs

Note

When referenced in the above table, ingestion supports a maximum file size of 4 GB. The recommendation is to ingest files between 100 MB and 1 GB.

Ingestion process

Once you have chosen the most suitable ingestion method for your needs, do the following steps:

  1. Set retention policy

    Data ingested into a table in Azure Data Explorer is subject to the table's effective retention policy. Unless set on a table explicitly, the effective retention policy is derived from the database's retention policy. Hot retention is a function of cluster size and your retention policy. Ingesting more data than you have available space will force the first in data to cold retention.

    Make sure that the database's retention policy is appropriate for your needs. If not, explicitly override it at the table level. For more information, see retention policy.

  2. Create a table

    In order to ingest data, a table needs to be created beforehand. Use one of the following options:

    Note

    If a record is incomplete or a field cannot be parsed as the required data type, the corresponding table columns will be populated with null values.

  3. Create schema mapping

    Schema mapping helps bind source data fields to destination table columns. Mapping allows you to take data from different sources into the same table, based on the defined attributes. Different types of mappings are supported, both row-oriented (CSV, JSON and AVRO), and column-oriented (Parquet). In most methods, mappings can also be pre-created on the table and referenced from the ingest command parameter.

  4. Set update policy (optional)

    Some of the data format mappings (Parquet, JSON, and Avro) support simple and useful ingest-time transformations. Where the scenario requires more complex processing at ingest time, use update policy, which allows for lightweight processing using Kusto Query Language commands. The update policy automatically runs extractions and transformations on ingested data on the original table, and ingests the resulting data into one or more destination tables. Set your update policy.

Next steps