Logic app to send logs to Azure blob storage failing

%3CLINGO-SUB%20id%3D%22lingo-sub-3439087%22%20slang%3D%22en-US%22%3ELogic%20app%20to%20send%20logs%20to%20Azure%20blob%20storage%20failing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3439087%22%20slang%3D%22en-US%22%3E%3CP%3EHello%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20implemented%20a%20Logic%20App%20to%20move%20logs%20from%20LA%20workspace%20to%20Azure%20storage%20as%20outlined%20in%20%3CA%20title%3D%22Move%20Logs%20to%20Azure%20Storage%22%20href%3D%22https%3A%2F%2Fwww.starwindsoftware.com%2Fblog%2Fmove-microsoft-sentinel-logs-to-azure-storage%22%20target%3D%22_self%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ethis%3C%2FA%3E%20blog%20post%20by%20Nicolas%20Prigent.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20getting%20this%20error%20at%20the%20%3CSTRONG%3Euntil%3C%2FSTRONG%3E%20step.%3C%2FP%3E%3CP%3E%3CEM%3EBadRequest.%20Http%20request%20failed%20as%20there%20is%20an%20error%3A%20'Cannot%20write%20more%20bytes%20to%20the%20buffer%20than%20the%20configured%20maximum%20buffer%20size%3A%20104857600.'.%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20query%20it%20is%20running%20at%20the%20step%20is%20this.%3C%2FP%3E%3CP%3E%26nbsp%3B%3CEM%3ESecurityEvent%3C%2FEM%3E%3CBR%20%2F%3E%3CEM%3E%7C%20where%20ingestion_time()%20between(datetime(2022-04-27T05%3A00%3A00.0000000)%20..%20datetime(2022-04-27T06%3A00%3A00.0000000))%3C%2FEM%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWhen%20I%20manually%20ran%20this%20query%20in%20Log%20Analytics%2C%20I%20got%20more%20than%2015k%20results.%26nbsp%3BHow%20can%20I%20increase%20the%20buffer%20size%3F%20Is%20there%20a%20better%20solution%3F%20Thank%20you%20for%20your%20response.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E-Saeed%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3439087%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAutomation%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EData%20Retention%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ELog%20Data%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESIEM%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESolutions%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3469171%22%20slang%3D%22en-US%22%3ERe%3A%20Logic%20app%20to%20send%20logs%20to%20Azure%20blob%20storage%20failing%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3469171%22%20slang%3D%22en-US%22%3E%3CP%3EYou%20can't%20increase%20the%20buffer%20size%2C%20so%20you%20will%20need%20to%20reduce%20the%20amount%20of%20data%20you%20save%20in%20one%20go.%3CBR%20%2F%3EThis%20can%20be%20done%20either%20by%20adjusting%20the%20time%20interval%20(for%20example%20by%20doing%20it%20in%2030%20minute%20intervals%20instead%20of%201%20hour%20intervals)%2C%20or%20by%20splitting%20in%20a%20fixed%20line%20of%20records%20interval%20(for%20examply%205000%20lines%20a%20time).%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20post%20below%20explains%20this%20in%20more%20detail.%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintegrations-on-azure-blog%2Fhow-to-use-logic-apps-to-handle-large-amount-of-data-from-log%2Fba-p%2F2797466%22%20target%3D%22_blank%22%3Ehttps%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fintegrations-on-azure-blog%2Fhow-to-use-logic-apps-to-handle-large-amount-of-data-from-log%2Fba-p%2F2797466%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EYou%20never%20know%20how%20much%20logs%20will%20be%20present%20in%20a%20specific%20time%20interval%20though%2C%20especially%20since%20the%20environment%20might%20be%20growing%2C%20so%20the%20only%20way%20that%20will%20(most%20likely)%20not%20require%20re-adjustment%20is%20to%20do%20it%20by%20fixed%20line%20of%20records.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Senior Member

Hello All,

 

I have implemented a Logic App to move logs from LA workspace to Azure storage as outlined in this blog post by Nicolas Prigent.

 

I am getting this error at the until step.

BadRequest. Http request failed as there is an error: 'Cannot write more bytes to the buffer than the configured maximum buffer size: 104857600.'.

 

The query it is running at the step is this.

 SecurityEvent
| where ingestion_time() between(datetime(2022-04-27T05:00:00.0000000) .. datetime(2022-04-27T06:00:00.0000000))

 

When I manually ran this query in Log Analytics, I got more than 15k results. How can I increase the buffer size? Is there a better solution? Thank you for your response.

 

-Saeed

1 Reply

You can't increase the buffer size, so you will need to reduce the amount of data you save in one go.
This can be done either by adjusting the time interval (for example by doing it in 30 minute intervals instead of 1 hour intervals), or by splitting in a fixed line of records interval (for examply 5000 lines a time).

The post below explains this in more detail.
https://techcommunity.microsoft.com/t5/integrations-on-azure-blog/how-to-use-logic-apps-to-handle-la...

You never know how much logs will be present in a specific time interval though, especially since the environment might be growing, so the only way that will (most likely) not require re-adjustment is to do it by fixed line of records.