Cost & Billing Recipes
DPS Consumption Overview
// Total DPS usage by category (last 7 days)
fetch events, from:now()-7d
| filter event.type == "DPS_CONSUMPTION"
| summarize total=sum(value), by:{category}
| sort total desc
Log Volume (Ingestion Cost Driver)
// Log volume by source โ find what's generating the most logs
fetch logs
| summarize cnt=count(), by:{log.source}
| sort cnt desc
| limit 10
Log Volume Over Time
fetch logs
| makeTimeseries volume=count(), by:{loglevel}
Metric Query Costs
// Which timeseries queries scan the most data?
// Use scanLimitGBytes to control costs
timeseries avg(dt.host.cpu.usage), by:{dt.entity.host}
// Add scanLimitGBytes:-1 for unlimited (billing queries)
Entity Count (License Sizing)
// Host units = primary license metric
fetch dt.entity.host | summarize hosts=count()
// Full-stack vs infrastructure-only
fetch dt.entity.host
| summarize cnt=count(), by:{monitoringMode}
Extension Data Volume
// How many metrics are extensions generating?
fetch dt.entity.custom_device | summarize cnt=count()
Retention Impact
Bucket Default Retention Cost Impact
โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโ
default_logs 35 days Highest volume, biggest cost driver
default_metrics 15 months Fixed, 1-min granularity
default_spans 10 days High volume if tracing enabled
default_bizevents 35 days Usually low volume
๐ก The #1 cost optimization: reduce noisy log sources. Find the top log.source by volume and either filter at OpenPipeline or reduce log verbosity at the application level.
๐ Try it: Open a Notebook โ run fetch dt.system.events | filter event.kind == "BILLING_USAGE_EVENT" | summarize cnt=count(), by:{event.type} | sort cnt desc to see your billing event types. This is the foundation for cost dashboards.