Forum Discussion
Determine events per second for a potential Sentinel deployment
I have been tasked to determine the estimate of EPS (events per second) for 4 subscriptions. Need to get an idea of the cost of creating an Event Hub to send data to the SIEM. Any assistance/guidan...
Hey Clive,
Ok, I think I figured it out. the _TableName1 is a way to run through all tables without naming a specific table which allows you to search all Tables available.
also, after reviewing the TimeReceived information in this table:
https://docs.microsoft.com/en-us/azure/azure-monitor/logs/data-ingestion-time#checking-ingestion-time
I was able to substitute as needed. I think I got the needed information. Thank you again.
I'm glad you figured it out. You can also do a similar thing in M365 - in "Advanced Hunting". Rather than union you can name the single Table or event use union to wildcard ie.
union withsource =MDTables Device*
union withsource=MDTables *
| where Timestamp > ago(1d)
| summarize count() by bin(Timestamp, 1m), MDTables
| extend EPS = count_ /60
| summarize avg(EPS) by MDTables
| sort by avg_EPS desc
// Also show as GBytes (estimated, using 500bytes as a default value)
let bytes_ = 500;
union withsource=MDTables *
| where Timestamp > ago(1d)
| summarize count() by bin(Timestamp, 1m), MDTables
| extend EPS = count_ /60
| summarize avg(EPS), estimatedGBytes = (avg(EPS) * bytes_) / (1024*1024*1024) by MDTables
| sort by toint(estimatedGBytes) desc
That worked perfect. I also added "by" statement to get the logs per table:
union withsource=_TableName1 *
| where TimeGenerated > ago(1d)
| summarize count() by bin(TimeGenerated, 1m), Type
| extend counttemp =count_ / 60
| summarize
['Average Events per Second (eps)'] = avg(counttemp), ['Minimum eps']=min (counttemp),
['Maximum eps']=max(counttemp)
by ['Table Name']=TypeIt gave me the table names, hopefully this is correct. A lot to learn. Hopefully sharing this will help others.Cheers,