Forum Discussion
Azure Sentinel - Logs delay?
Hello, I've connected my windows server with Azure Sentinel via Security events data connector. A few days ago, the delay of getting logs from windows event manager to Azure sentinel logs was 50...
To the Events table?
Is this all Computers, or just some? Are they in the same Azure Region as Log Analytics?
Factors that affect latency are discussed here: https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-ingestion-time
This query may help to see if its a particular Computer - assuming its the Events table (if not you will need to edit)
Event
| where TimeGenerated > startofday(ago(7day))
| extend E2EIngestionLatency = ingestion_time() - TimeGenerated
//| extend AgentLatency = _TimeReceived - TimeGenerated
| summarize
['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
, ['minimun E2E IngestionLatency'] = round(min(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
, ['maximum E2E IngestionLatency'] = round(max(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
by Computer , bin(TimeGenerated, 1d)
| order by ['average E2E IngestionLatency'] desc
//| render timechart
