Log Analytics table growth

Iron Contributor

Greetings community!

 

I'm using the following query to keep a close eye on my top tables in Log Analytics:

search * 
| summarize count() by $table
| project Table=$table, Count=count_
| top 5 by Count

This is great, but I'd also like to track the growth on a day-to-day basis so that I can graph it and catch when there is a big jump in consumption. Any ideas?

 

Thanks!

 

5 Replies

Bookmarking this interesting ask as I have also no idea how to use date diff in let.

@Scott Allison 

 

union withsource = tt *
| where TimeGenerated >= ago(31d) 
| summarize count() by bin(TimeGenerated,1d), Source=tt
| render timechart title = "Monthly growth"

 

Go to Log Analytics and Run Query

clipboard_image_1.png

 

 

@CliveWatson Sir,
This is might be a silly question but what is the meaning of this line [

union withsource = tt *]
What is withsource and tt here

@GouravIN 

 

https://docs.microsoft.com/en-us/azure/kusto/query/unionoperator

 

In simple terms as we are looking at multiple tables with the (*) wildcard - its assigning the name of each Table to "tt"

 

"withsource=ColumnName: If specified, the output will include a column called ColumnName whose value indicates which source table has contributed each row. If the query effectively (after wildcard matching) references tables from more than one database (default database always counts) the value of this column will have a table name qualified with the database. Similarly cluster and database qualifications will be present in the value if more than one cluster is referenced."

So I could have changed it to "athing" instead, but not to any reserved keywords like "Source"  - hence mapping it back to Source at the end with Source=athing 

 

clipboard_image_0.png

I only tend to use "tt" as that was the example in the docs when I first learnt about it :)

Thanks a lot Sir ,@CliveWatson