Log Analytics table growth

Frequent Contributor

Greetings community!


I'm using the following query to keep a close eye on my top tables in Log Analytics:

search * 
| summarize count() by $table
| project Table=$table, Count=count_
| top 5 by Count

This is great, but I'd also like to track the growth on a day-to-day basis so that I can graph it and catch when there is a big jump in consumption. Any ideas?




5 Replies

Bookmarking this interesting ask as I have also no idea how to use date diff in let.

@Scott Allison 


union withsource = tt *
| where TimeGenerated >= ago(31d) 
| summarize count() by bin(TimeGenerated,1d), Source=tt
| render timechart title = "Monthly growth"


Go to Log Analytics and Run Query




@CliveWatson Sir,
This is might be a silly question but what is the meaning of this line [

union withsource = tt *]
What is withsource and tt here





In simple terms as we are looking at multiple tables with the (*) wildcard - its assigning the name of each Table to "tt"


"withsource=ColumnName: If specified, the output will include a column called ColumnName whose value indicates which source table has contributed each row. If the query effectively (after wildcard matching) references tables from more than one database (default database always counts) the value of this column will have a table name qualified with the database. Similarly cluster and database qualifications will be present in the value if more than one cluster is referenced."

So I could have changed it to "athing" instead, but not to any reserved keywords like "Source"  - hence mapping it back to Source at the end with Source=athing 



I only tend to use "tt" as that was the example in the docs when I first learnt about it :)

Thanks a lot Sir ,@CliveWatson