I have a couple of questions about where these "variables" come from in KQL --
search * | distinct $table | sort by $table asc nulls last
What is a $table? Where does this variable come from?
let bytes_ = 500; union withsource=MDTables* | where Timestamp > startofday(ago(1d)) | summarize count() by bin(Timestamp, 1m), MDTables | extend EPS = count_ /60 |summarize avg(EPS), estimatedGBytes = (avg(EPS) * bytes_ ) / (1024*1024*1024) by MDTables | sort by toint(estimatedGBytes) desc
Where does the MDTables variable come from in the above events per second, gb's per second?
Thank you!
Like i said earlier $table is a placeholder for a field in your log data. The search * retrieves all records, right so distinct $table gets unique values from the $table field. this is ,mostly used in Azure Monitor Logs to represents a log entry.
and secondly the MDTables is an alias used for a field in your log datawhich represents different tables with names starting with "MDTables.
i guess the query calculates events per second and gigabytes per second for each table, grouping the results by the MDTables field. MDTables is used for readability in this context according to my analysis and the actual field name might vary based on your specific log schema.