union withsource=LogTable *
| where TimeGenerated > ago(60d)
| extend ResourceId = tostring(parse_json(tostring(_ResourceId)))
| extend ResourceName = tostring(split(ResourceId, “/”)[8])
| extend ResourceType = case(
LogTable in (“Heartbeat”, “Perf”, “InsightsMetrics”, “Syslog”, “SecurityEvent”, “VMConnection”, “Update”), “Virtual Machine”,
LogTable startswith “App”, “Application”,
LogTable in (“CommonSecurityLog”, “AzureDiagnostics”), “Firewall”,
“Other”
)
| summarize
LogCount = count(),
IngestedVolumeMB = sum(_BilledSize) / 1024.0,
TotalBilledVolumeMB = sum(_BilledSize) / 1024.0 // Same as IngestedVolumeMB unless raw size is available
by LogTable, ResourceType, ResourceName
| extend
IngestedVolumeGB = round(IngestedVolumeMB / 1024.0, 2),
TotalBilledVolumeGB = round(TotalBilledVolumeMB / 1024.0, 2)
| project ResourceType, ResourceName, LogType = LogTable, IngestedVolumeGB, TotalBilledVolumeGB
| order by ResourceType, ResourceName
Sample Output
| ResourceType | ResourceName | LogType | IngestedVolumeGB | TotalBilledVolumeGB |
|---|---|---|---|---|
| Virtual Machine | vm-prod-01 | Heartbeat | 1.25 | 1.25 |
| Virtual Machine | vm-prod-01 | Perf | 3.40 | 3.40 |
| Application | app-service-01 | AppRequests | 2.10 | 2.10 |
| Firewall | fw-eastus-01 | CommonSecurityLog | 5.75 | 5.75 |
| Firewall | fw-eastus-01 | AzureDiagnostics | 4.20 | 4.20 |
| Virtual Machine | vm-dev-02 | Syslog | 0.85 | 0.85 |
| Other | unknown-resource | UnknownLogTable | 0.10 |
onelinecommand 
Leave a comment