Azure Log Analytics: Search Job vs Restore — Cost Comparison 2026
Azure Log Analytics Search Job vs Restore cost comparison UK 2026. Search Jobs cost £0.0046/GB scanned. Restore has a 2TB minimum — restoring 1GB costs £189/day. Understand when to use each.
Prices last verified: March 2026
Search Jobs cost pennies. Restore can cost hundreds of pounds. Here is how to choose the right option and avoid the 2TB minimum billing trap.
Built and verified by an independent Azure engineer, frustrated with the official calculator.
The Core Difference
Search Job
- ›Query archived data asynchronously
- ›Cost: £0.0046/GB scanned
- ›No minimum charge
- ›Results written to _SRCH table
- ›Best for: ad-hoc investigations
Restore
- ›Bring archived data into hot cache
- ›Cost: £0.0924/GB/day
- ›2TB MINIMUM — always billed as at least 2,048 GB
- ›Best for: sustained heavy querying of large datasets
Search Jobs Explained
A Search Job runs asynchronously against your archived (Basic or Auxiliary tier) log data. Rather than returning results immediately, it scans the specified time range and writes matching records into a new table named OriginalTable_SRCH. You can then query that results table using normal KQL at no additional scan cost. Results tables have 31-day interactive retention.
Search Jobs are charged per GB scanned across the query time range — not per GB returned. If your table ingests 5 GB/day and you search 7 days, you are charged for 35 GB regardless of how many records match your query. Results are also ingested at the standard Analytics Logs rate (£2.13/GB).
Worked Example 1 — Small Investigation
OfficeActivity — 7-day search
| Daily ingestion | 5 GB/day |
| Search range | 7 days |
| GB scanned | 5 × 7 = 35 GB |
| Search cost | 35 × £0.0046 = £0.16 |
| Result set | 0.5 GB |
| Result ingestion | 0.5 × £2.13 = £1.07 |
| Total | £1.23 |
Worked Example 2 — Large Investigation
SecurityEvent — 90-day search
| Daily ingestion | 50 GB/day |
| Search range | 90 days |
| GB scanned | 50 × 90 = 4,500 GB |
| Search cost | 4,500 × £0.0046 = £20.70 |
| Result set | 2 GB |
| Result ingestion | 2 × £2.13 = £4.26 |
| Total | £24.96 |
Restore Explained
Restore brings a specified time range of archived data into a hot cache, creating a table named OriginalTable_RST. Unlike Search Jobs, restore is synchronous — data is available for full KQL querying as soon as the restore completes. There is no charge for querying restored data once it is in the hot cache.
Restore is charged at £0.0924/GB/day with a 2TB (2,048 GB) minimum and a 12-hour minimum duration. Billing is per UTC day and continues until you explicitly dismiss the restore. Forgetting to dismiss is one of the most common causes of unexpected Azure bills.
The 2TB Minimum Billing Trap
The 2TB minimum means restoring any amount of data under 2TB costs the same. The minimum only stops mattering above 2TB.
Worked Example 1 — Small Restore (The Trap)
You want 3 GB — Azure bills 2,048 GB
| Data you want | 3 GB of OfficeActivity logs |
| Azure bills | 2,048 GB (2TB minimum) |
| Duration | 3 days |
| Restore cost | 2,048 × £0.0924 × 3 = £567.71 |
| Same via Search Job | £0.16 + £0.14 = £0.30 |
| Difference | £567.41 wasted |
Worked Example 2 — Large Restore (Justified)
5,000 GB SecurityEvent — sustained 14-day investigation
| Data to restore | 5,000 GB (above 2TB minimum) |
| Duration | 14 days |
| Restore cost | 5,000 × £0.0924 × 14 = £6,468 |
| Via Search Job (once) | 5,000 × £0.0046 = £23 |
If you need to run 200+ KQL queries against this data over 14 days, Restore justifies its cost — a Search Job only runs once and results expire after 31 days.
The Decision Framework
Use Search Job when
- ✓Ad-hoc investigation (1–5 queries)
- ✓Data is under 2TB
- ✓You can wait for async results
- ✓SOC analyst investigating a specific incident
- ✓Budget is a concern
Use Restore when
- ✓Sustained investigation over many days
- ✓You need to run 50+ queries on same data
- ✓Data is over 2TB (above minimum anyway)
- ✓You need the full KQL timeout
- ✓Performance matters more than cost
Never use Restore when
- ✗You only need to run 1–3 queries
- ✗Your data is under 2TB
- ✗You are doing a quick incident triage
- ✗A Search Job can answer the question
Cost Comparison Calculator
Use our free Log Analytics calculator to compare exact Search Job vs Restore costs for your specific scenario. Use the Search Job tab for ad-hoc queries, and the Restore tab to see the 2TB minimum impact on your specific data volume.
Common Mistakes
Restoring for a single investigation
The most expensive mistake in Azure. Always try a Search Job first. A Search Job costs fractions of a penny per GB scanned — there is almost never a reason to Restore for a single incident investigation.
Forgetting to dismiss the restore
Restore bills every UTC day until explicitly dismissed. A restore left running for a week costs 7× the daily rate. Set a calendar reminder when you initiate any restore.
Assuming restore cost equals data size
The 2TB minimum means small restores are disproportionately expensive. Restoring 100 MB and restoring 1,900 GB cost exactly the same per day: £189.24.
Not checking table ingestion volume before a Search Job
Search Job cost depends on daily ingestion rate × days searched, not query result size. A table ingesting 100 GB/day costs £0.46 to scan for one day regardless of how many records your filter matches.
Official Resources
SC-200 covers Search Jobs and Restore in the Sentinel investigation modules — it is the most relevant certification for analysts who regularly query archived log data.
SC-200 Security Operations Analyst
From £29/month
AD: We earn a commission on qualifying purchases at no extra cost to you.
SC-200 Security Operations Analyst
From £29/month
AD: We earn a commission on qualifying purchases at no extra cost to you.