January 31, 2019

How Much Log Analytics?

I'm a huge fan of shamelessly stealing other people's work, as long as we say hello and thanks. Had a question from a customer earlier and wanted to post this mostly as a reminder to myself but hopefully other folks can use it.

Question: How do I know which logs are consuming the most data/space inside my Log Analytics (cause my bill is too high).

Answer:

let daystoSearch = 31d; let tables = search * | where TimeGenerated >= ago(daystoSearch) | summarize RecordCount=count() by $table | project leftName=$table, RecordCount, Clause=1 ; Usage | where TimeGenerated >= ago(daystoSearch) | where IsBillable == true | where DataType !="" | summarize TotalSize=sum(Quantity) by DataType | project rightName=DataType, TotalSize, Clause=1 | join kind=leftouter (tables) on Clause | where leftName == rightName | project TableName=leftName , MBperRecord=round(TotalSize / RecordCount,6), RecordCount, TotalGB = round(TotalSize/1024, 6) | sort by MBperRecord desc

With many thanks to Dimitri Lider on our internal MS teams!