Log Analytics Workspace Daily Cap

Question

Hello everyone, I am new to&nbsp;Microsoft Sentinel,&nbsp;and I hope all of you are doing good.&nbsp;I wanted to know that I set a&nbsp;daily cap&nbsp;limit on my log analytics workspace of&nbsp;23 MB, as it was the lowest I could go in my test environment. I created alerts on that too, like whenever the daily cap is reached I am notified via email. I wanted to know a couple of things.&nbsp;If I set the daily cap limit, it should stop ingesting data after reaching&nbsp;23 MB&nbsp;right?&nbsp;Considering that the data is coming from my windows and Linux virtual machines via AMA. But I can see around&nbsp;27 MB&nbsp;of data being ingested as of today. I want to know the reason behind it.If it is not stopping the ingestion of data is there any rule that I can configure which forces to stop this ingestion? I have gone through all the&nbsp;Alerts&nbsp;that are present in the Log Analytics Workspace but there is no option.&nbsp;&nbsp;Thanking in advance. Best Regards,Sharjeel Khan.

mhenshaw · Answer

The daily cap states this "Note that there can be some latency in applying the daily cap, so stopping data ingestion precisely at the specified cap cannot be guaranteed." Because of this in my expierence we have to slightly decrease from the cap we actually want for example, if we want the cap to be 23 MB you could set it at 20 MB. Hope that helps

clive_watson · Answer

Sidra_Raza&nbsp;&nbsp;Did you enter the value in GB not MB?&nbsp; If you put 23 that is 23GB&nbsp;&nbsp;

sidra_raza · Answer

I am facing the same issue. Anyone here who can guide us?

sidra_raza · Answer

Hello. I want the ingestion to be stopped at 30 MB that is why I set limit to 23MB but the ingestion is increasing continuously.

sidra_raza · Answer

I added 0.023

Forum Discussion

Log Analytics Workspace Daily Cap

Share

Resources