Need a good way of tracking your Azure Sentinel table usage? Here’s a KQL query to help.
I can’t take full credit for it, other than sharing it. This query is an amalgam of different queries and the work of a multitude of individuals, but hugely useful.
union withsource=TableName1 * | where TimeGenerated > ago(30d) | summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff("second",now(), max(TimeGenerated)), estimate = sumif(_BilledSize, _IsBillable==true) by TableName1, _IsBillable | project ['Table Name'] = TableName1, ['Table Entries'] = Entries, ['Table Size'] = Size, ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable, ['Last Record Received'] = last_log , ['Estimated Table Price'] = (estimate/(1024*1024*1024)) * 0.0 | order by ['Table Size'] desc
This is what the results look like:
NOTE: For the 0.0 in the query (at the end of line 5), enter your price. You can use the Azure Pricing Calculator to obtain it.