Forum Discussion
Solved
Get listing of logs
It is easy to see all of the logs in Sentinel/Log Analytics workspace, but how can we easily export a listing of those logs? not the data, just the log names
- Did you just want the table names? If so -
union withsource= table *
| distinct table
And if you are interested in the busiest tables
union withsource= table *
| summarize count()by table
One other method is to use the Usage Table.
Usage is an aggregated Table that knows about all the other Tables, so you can query that for better performance (runs in less than half the time on my data).
This is not a big issue for a simple query like these examples, but can help if this ends up being frequent or the query more complex.
Usage
| summarize count() by DataType
Wouldn't you need to take into account the Quantity field to really determine which ones were busy or do you just care about the number of hits rather than how much data each table ingested?
- The ask was for just the Tables, but if you need to judge 'busy' - you could use quantity and or count. Usage is good for this as its quick but you do lack some detail...for most cases it's normally fine. For more complex KQL it's a trade between perf and detail