TimeSeriesConsiderations.txt

In Kusto Query Language (KQL), there are several limits that you might need to consider when working with time series data in Azure Sentinel:

Request Concurrency: This is a limit that a cluster imposes on several requests running at the same time. The default value of the limit depends on the SKU the cluster is running on, and is calculated as: Cores-Per-Node x 101.
Result Set Size (Result Truncation): Kusto limits the number of records returned to the client to 500,000, and the overall data size for those records to 64 MB1. When either of these limits is exceeded, the query fails with a "partial query failure"1.
Memory Consumed by Query Operators (E_RUNAWAY_QUERY): There’s an inherent risk that queries will monopolize the service resources without bounds. Kusto provides several built-in protections in the form of default query limits1.
Limit on Arrays Generated by make-series: The arrays generated by make-series are limited to 1,048,576 values (2^20)2.

If you encounter a “partial query failure” due to exceeding the result set size, you can consider several strategies1:

- Reduce the result set size by modifying the query to only return interesting data.
- Reduce the result set size by shifting post-query processing, such as aggregations, into the query itself.
- Switch from queries to using data export when you want to export large sets of data from the service.
- Here is an example of how to create a time series in KQL3: