Forum Discussion

zaylinhtun's avatar
zaylinhtun
Copper Contributor
Feb 08, 2022

How to find the azure vm ingested log size to sentinel

Hi all, I need some help.

I want to find the total ingested log size (daily or weekly) from azure VM which is used for syslog-forwarder. I can find the only Usage table which is billable or not.

Thanks all.

  • Clive_Watson's avatar
    Clive_Watson
    Bronze Contributor

    zaylinhtun

     

    Usage no longer holds Computer info, so you can check the Syslog Table instead.  This shows each day for the last 7days (adjust to suit).

     

    Syslog
    | where TimeGenerated > ago(7d)
    | where _IsBillable = true
    | where Computer == ' name of your Syslog server '
    | summarize sum(_BilledSize) by bin(TimeGenerated, 1d)

     

    Syslog
    | where TimeGenerated > ago(7d)
    | where _IsBillable = true
    //| where Computer == ' .. '
    | summarize GBytes=sum(_BilledSize)/(1024*1024*1024) by bin(TimeGenerated, 1d), Computer
    | render barchart 
    
    Syslog
    | where TimeGenerated > ago(7d)
    | where _IsBillable = true
    | summarize bytes=sum(_BilledSize) by bin(TimeGenerated, 1d), Computer
    | render barchart 

    or for all Syslog Servers  

Resources