Ingestion Volume (Data Volume by Table)¶
Analyze the volume of data being ingested into your Log Analytics workspace. Monitoring ingestion volume is critical for cost management and identifying unexpected spikes in logging that could lead to budget overruns.
Scenario¶
You need to identify which tables in your workspace are consuming the most data over the last 31 days to optimize logging costs.
KQL Query¶
Usage
| where IsBillable == true
| where TimeGenerated > ago(31d)
| summarize
TotalGB = sum(Quantity) / 1024
by DataType, Solution
| order by TotalGB desc
Data Flow¶
graph TD
A[Usage table] --> B[Filter IsBillable == true]
B --> C[Filter last 31 days]
C --> D[Sum Quantity in GB]
D --> E[Group by table and solution]
E --> F[Order by volume]Sample Output¶
| DataType | Solution | TotalGB |
|---|---|---|
| AppServiceHTTPLogs | LogManagement | 0.0018 |
| AppServiceConsoleLogs | LogManagement | 0.0012 |
| AppServicePlatformLogs | LogManagement | 0.0008 |
| AzureMetrics | LogManagement | 0.0003 |
Note: The
Usagetable aggregates data hourly. New workspaces may take several hours before Usage records appear. The example above shows a test workspace with App Service diagnostic logs enabled.
How to Read This¶
Focus on the top 3 tables. If AppRequests or ContainerLogV2 are high, review the logging level in your application or cluster. High Syslog volume may indicate an noisy agent on a virtual machine.
Limitations¶
- The
Usagetable provides data volume based on billing granularity, which may differ slightly from raw telemetry size. - Data is typically aggregated hourly, so it's not suitable for real-time traffic monitoring.
- This query only includes billable data; free data tiers or specific tables might not appear if filtered by
IsBillable == true.
Common Variations¶
Daily ingestion trend¶
Usage
| where IsBillable == true
| where TimeGenerated > ago(31d)
| summarize TotalGB = sum(Quantity) / 1024 by bin(TimeGenerated, 1d), DataType
| order by TimeGenerated asc
Billable volume by solution only¶
Usage
| where IsBillable == true
| where TimeGenerated > ago(31d)
| summarize TotalGB = sum(Quantity) / 1024 by Solution
| order by TotalGB desc
Interpretation Guide¶
| Pattern | Indicates | Action |
|---|---|---|
| One table suddenly dominates GB | New noisy source or config change | Review diagnostic settings, DCRs, or log level |
| Many tables rise together | Broader monitoring rollout | Check new agents, solutions, or subscription scope |
| High GB in low-value tables | Cost without operational value | Reduce verbosity or move eligible tables to Basic |
Related Playbook¶
For the full investigation workflow, see High Ingestion Cost.