Forum Discussion
Azure Sentinel - Logs delay?
Hello, I've connected my windows server with Azure Sentinel via Security events data connector. A few days ago, the delay of getting logs from windows event manager to Azure sentinel logs was 50...
So your average and minimum look good, but the maximum latency was high yesterday (over 10mins). I assume that is the same computer (behind the red squiggle)?
Was the computer online yesterday, you should get ~60 heartbeats per full minute?
Heartbeat
| where Computer startswith "< insert computer name>"
| where TimeGenerated > ago(1d)
| summarize count() by bin(TimeGenerated,1h)
| render columnchart
Were other computers affected - that would help to rule out Network issues between your machine and Log Analytics?
Was it the Agent compared to the E2E?
SecurityEvent
| where TimeGenerated > startofday(ago(7day))
//| extend E2EIngestionLatency = ingestion_time() - TimeGenerated
//| extend AgentLatency = _TimeReceived - TimeGenerated
| summarize
['average E2E IngestionLatency'] = round(avg(todouble(datetime_diff("Second",ingestion_time(),TimeGenerated))/60 ),2)
, ['average Agent Latency'] = round(avg(todouble(datetime_diff("Second",_TimeReceived ,TimeGenerated))/60 ),2)
by Computer , bin(TimeGenerated, 1d)
| order by ['average Agent Latency'] desc