Forum Discussion
Sentinel Billable data
Hello can you please help me understand difference of two queries we received from vendor deployin sentinel. We have logic app running daily this query to see billable data (to monitor if we are...
Hello T150732D ,
Instead of
| where TimeGenerated > ago(1d)
I would use:
| where StartTime >= startofday(ago(1d)) and EndTime < startofday(now())
I tried to use the queries you sent and got the same results. Will try to check it deeper and update you later.
I tend to prefer "between" for this...but either work
| where TimeGenerated between ( startofday(ago(1d)) .. endofday(ago(1d)) )
| where TimeGenerated between ( startofday(ago(1d)) .. endofday(ago(1d)) )
Clive_Watson thanks for your helps.
this query you proposed returns now 550 GB
Usage | where TimeGenerated > ago(1d) | where IsBillable == true | summarize BillableDataGB = sum(Quantity) / 1000.
the second query returns now 840 GB
Usage | where TimeGenerated > startofday(ago(1d)) | where IsBillable == true | summarize BillableDataGB = sum(Quantity) / 1000.
the query mikhailf proposed
| where StartTime >= startofday(ago(1d)) and EndTime < startofday(now())
returns 485 GB
My initial query returns now 550 GB
Usage
| where TimeGenerated > ago(1d)
| where IsBillable == true
| summarize BillableDataGB = sum(Quantity) / 1000. by bin(TimeGenerated, 31d), Solution
| summarize TotalDataGB = sum(BillableDataGB)Hello T150732D ,
Please, try the following queries:
Usage | where TimeGenerated >= startofday(ago(1d)) and EndTime < startofday(now()) | where IsBillable == true | summarize BillableDataGB = sum(Quantity) / 1000. by bin(TimeGenerated, 1d), Solution | summarize TotalDataGB = sum(BillableDataGB)Usage | where TimeGenerated >= startofday(ago(30d)) and EndTime < startofday(now()) | where IsBillable == true | summarize BillableDataGB=sum(Quantity) / 1000. by bin(TimeGenerated, 1d), Solution | render columnchartIt will return similar results.
