Forum Discussion
EPS calculation and log size
Good evening! We have some customers in the process of aligning about closing a partnership to obtain Azure Sentinel, however, now and then we are asked about the average expense that they may have ...
As you say there can be a large variance here.
union withsource=_TableName1 *
| where _TimeReceived > ago(1d)
| summarize count() , Size = sum(_BilledSize) by bin(_TimeReceived, 1m), Type, _IsBillable, _BilledSize
| extend counttemp =count_ / 60
| summarize
['Average Events per Second (eps)'] = avg(counttemp),
['Average Bytes']=avg(_BilledSize),
//['Bytes']=avg(counttemp) * avg(_BilledSize),
['Minimum eps']=min (counttemp),
['Maximum eps']=max(counttemp)
by ['Table Name']=Type
| order by ['Average Events per Second (eps)'] descHere I run the above on the Microsoft demo data:
Go to Log Analytics and run query (top 5 shown)
| Table Name | Average Events per Second (eps) | Average Bytes | Minimum eps | Maximum eps |
|---|---|---|---|---|
| ContainerLog | 1.6899142145116457 | 350.67232579315635 | 0 | 119 |
| AzureNetworkAnalytics_CL | 0.5160871447121628 | 681.2308469196364 | 0 | 227 |
| W3CIISLog | 0.10373542707589817 | 518.1744672172938 | 0 | 18 |
| AppPageViews | 0.06976744186046512 | 849.984952120383 | 0 | 2 |
| AppMetrics | 0.06423229212494501 | 763.9826849349506 | 0 | 33 |
What you can see is there is often a large difference between the min, avg and max eps. And the average bytes varies as well. You could use this as a basis of a calculation, adding in your device counts for the various technologies. Many of the online calculators use 200-500bytes as a baseline.
Ideally you'd do a POC to test the incoming customer data, but I appreciate that isn't always possible.