Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

Ingestion tuning is an important aspect of Azure Monitor to ensure optimal performance and cost-effectiveness of data ingestion into the monitoring system. One of the tools available in Azure Monitor for ingestion tuning is Data Collection Rules (DCR).

DCR is a feature in Azure Monitor that allows you to define and customize rules for collecting and processing data from various sources, such as logs, metrics, and events. With DCR, you can filter, transform, and aggregate data before it is ingested into Azure Monitor. This can help you reduce the volume of data ingested, improve query performance, and reduce costs.

Getting Started

To use DCR for ingestion tuning, follow these steps:

  1. Switch to the DCR config directory. bash cd azure/<ENVIRONMENT>/resource-groups/security-log-analytics/services/sentinel-dcr 2. Open the config file, config.hcl. Here we need to modify the two variables, default_dcr and custom_dcr. 3. Both default and custom DCRs function on an opt-in basis. Even for default DCRs within the content directory, we need to explicitly specify the DCR that we want to deploy on our environment within the default_dcr[] array. 4. In order to deploy custom_dcr’s: 1. DCR configuration json needs to be added to the ../custom-dcr directory. 2. The custom_dcr parameter in config.hcl needs to be modified. 3. Add the filename of the custom_dcr added in step 1, to the array without the file extension. 5. Note: For Custom-DCRs: data_flow.streams must include Microsoft-Table- as a prefix before the table name, if its a Log Analytic Workspace table. 6. Monitor the performance and cost of data ingestion using the metrics and logs available in Azure Monitor. 7. Fine-tune the data collection rule as needed to optimize performance and reduce costs. ## Conclusion Ingestion tuning using DCR is an effective way to optimize data ingestion into Azure Monitor. By defining custom rules for collecting and processing data, you can reduce the volume of data ingested, improve query performance, and reduce costs. With the monitoring capabilities of Azure Monitor, you can continuously monitor and fine-tune your data collection rules to achieve optimal performance and cost-effectiveness.
  • No labels