With the Computer field in the Usage table being deprecated, which table should I use to calculate the total monthly log ingestion for a group of Computers?

Question

Hello everyone,

I have been tasked by a client of mine to get the total monthly log ingestion of a group of Computers using a Watchlist. My first thought was to use the Usage table, join that will the Watchlist, and then calculate the total log ingestion for the month. The problem I am running into is that the Usage table has deprecated the Computer field. I am having trouble pivoting to another table, does anyone have any insight on what table I should use for this? I want this query to be accurate for my client but without comparing the Computers in the Watchlist to the Usage table I am having a lot of trouble.

If anyone has any insight or could point me in a direction I would greatly appreciate it. Thanks!

Answer 1

Hello,

That field has been deprecated for years now, two methods spring to mind:

If you know the Table name, you can do something like (I used a datatable to simulate a watchlist). It assumes each named table has a Column called: Computer (which isnt always the case)

let fakeWatchlist = datatable (Computer:string)
[
'fake0001',
'fake0010'
]
;
Heartbeat
| where TimeGenerated > ago(30d)
| where Computer in (fakeWatchlist)
| summarize Gbytes=sum(_BilledSize)/(1024*1024*1024) by Computer

or a very inefficient query which looks over all Tables for the named Computers in the Computer column

let fakeWatchlist = datatable (Computer:string)
[
'fake0001',
'fake0010']
;
union *
| where TimeGenerated > ago(30d)
| where Computer in (fakeWatchlist)
| summarize Gbytes=sum(_BilledSize)/(1024*1024*1024) by Computer