![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 62%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,122 questions
Hi @Matthew Agosta , try using the Heartbeat table instead. The Heartbeat table contains information about the computers and their status, which can be joined with the Usage table to get the log ingestion data. You can use the Computer field in the Heartbeat table to match with your Watchlist and then calculate the total log ingestion.
For example:
let watchlist = datatable(Computer:string) [
"Computer1",
"Computer2",
"Computer3"
];
Heartbeat
| where Computer in (watchlist)
| join kind=inner (
Usage
| summarize TotalLogIngestion = sum(Quantity) by Computer, bin(TimeGenerated, 1d)
) on Computer
| summarize MonthlyLogIngestion = sum(TotalLogIngestion) by Computer, bin(TimeGenerated, 1mo)
This query joins the Heartbeat table with your Watchlist and then joins it with the Usage table to get the total log ingestion for each computer on a monthly basis.
Please let me know if you have any questions and I can help you further.
If this answer helps you please mark "Accept Answer" so other users can reference it.
Thank you,
James