Managing Azure Monitor Logs in Azure CLI

Use the Azure CLI commands described here to manage your log analytics workspace in Azure Monitor.

Prerequisites

• If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.

  • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.

  • When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.

  • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

Create a workspace for Monitor Logs

Run the az group create command to create a resource group or use an existing resource group. To create a workspace, use the az monitor log-analytics workspace create command.

az group create --name ContosoRG --location chinaeast2
az monitor log-analytics workspace create --resource-group ContosoRG \
   --workspace-name ContosoWorkspace

For more information about workspaces, see Azure Monitor Logs overview.

List tables in your workspace

Each workspace contains tables with columns that have multiple rows of data. Each table is defined by a unique set of columns of data provided by the data source.

To see the tables in your workspace, use the az monitor log-analytics workspace table list command:

az monitor log-analytics workspace table list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --output table

The output value table presents the results in a more readable format. For more information, see Output formatting.

To change the retention time for a table, run the az monitor log-analytics workspace table update command:

az monitor log-analytics workspace table update --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name Syslog --retention-time 45

The retention time is between 30 and 730 days.

For more information about tables, see Data structure.

Manage a linked service

Linked services define a relation from the workspace to another Azure resource. Azure Monitor Logs and Azure resources use this connection in their operations. Example uses of linked services, including an automation account and a workspace association to customer-managed keys.

To create a linked service, run the az monitor log-analytics workspace linked-service create command:

az monitor log-analytics workspace linked-service create --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name linkedautomation \
   --resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Web/sites/ContosoWebApp09

az monitor log-analytics workspace linked-service list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace

To remove a linked service relation, run the az monitor log-analytics workspace linked-service delete command:

az monitor log-analytics workspace linked-service delete --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name linkedautomation

For more information, see az monitor log-analytics workspace linked-service.

Manage linked storage

If you provide and manage your own storage account for log analytics, you can manage it with these Azure CLI commands.

To link your workspace to a storage account, run the az monitor log-analytics workspace linked-storage create command:

az monitor log-analytics workspace linked-storage create --resource-group ContosoRG \
   --workspace-name ContosoWorkspace \
   --storage-accounts /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Storage/storageAccounts/contosostorage \
   --type Alerts

az monitor log-analytics workspace linked-storage list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --output table

To remove the link to a storage account, run the az monitor log-analytics workspace linked-storage delete command:

az monitor log-analytics workspace linked-storage delete --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --type Alerts

Manage intelligence packs

To see the available intelligence packs, run the az monitor log-analytics workspace pack list command. The command also tells you whether the pack is enabled.

az monitor log-analytics workspace pack list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace

Use the az monitor log-analytics workspace pack enable or az monitor log-analytics workspace pack disable commands:

az monitor log-analytics workspace pack enable --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name NetFlow

az monitor log-analytics workspace pack disable --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name NetFlow

Manage saved searches

To create a saved search, run the az monitor log-analytics workspace saved-search command:

az monitor log-analytics workspace saved-search create --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name SavedSearch01 \
   --category "Log Management" --display-name SavedSearch01 \
   --saved-query "AzureActivity | summarize count() by bin(TimeGenerated, 1h)" --fa Function01 --fp "a:string = value"

View your saved search by using the az monitor log-analytics workspace saved-search show command. See all saved searches by using az monitor log-analytics workspace saved-search list.

az monitor log-analytics workspace saved-search show --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name SavedSearch01
az monitor log-analytics workspace saved-search list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace

To delete a saved search, run the az monitor log-analytics workspace saved-search delete command:

az monitor log-analytics workspace saved-search delete --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name SavedSearch01 --yes

Clean up deployment

If you created a resource group to test these commands, you can remove the resource group and all its contents by using the az group delete command:

az group delete --name ContosoRG

If you want to remove a new workspace from an existing resource group, run the az monitor log-analytics workspace delete command:

az monitor log-analytics workspace delete --resource-group ContosoRG 
   --workspace-name ContosoWorkspace --yes

Log analytics workspaces have a soft delete option. You can recover a deleted workspace for two weeks after deletion. Run the az monitor log-analytics workspace recover command:

az monitor log-analytics workspace recover --resource-group ContosoRG 
   --workspace-name ContosoWorkspace

In the delete command, add the --force parameter to delete the workspace immediately.

Azure CLI commands used in this article

• az group create
• az group delete
• az monitor log-analytics workspace create
• az monitor log-analytics workspace data-export create
• az monitor log-analytics workspace data-export delete
• az monitor log-analytics workspace data-export list
• az monitor log-analytics workspace delete
• az monitor log-analytics workspace linked-service create
• az monitor log-analytics workspace linked-service delete
• az monitor log-analytics workspace linked-storage create
• az monitor log-analytics workspace linked-storage delete
• az monitor log-analytics workspace pack disable
• az monitor log-analytics workspace pack enable
• az monitor log-analytics workspace pack list
• az monitor log-analytics workspace recover
• az monitor log-analytics workspace saved-search delete
• az monitor log-analytics workspace saved-search list
• az monitor log-analytics workspace saved-search show
• az monitor log-analytics workspace saved-search
• az monitor log-analytics workspace table list
• az monitor log-analytics workspace table update

Next steps

Overview of Log Analytics in Azure Monitor