Add or delete tables and columns in Azure Monitor Logs

  • Article

Data collection rules let you filter and transform log data before sending the data to an Azure table or a custom table. This article explains how to create custom tables and add custom columns to tables in your Log Analytics workspace.

Important

Whenever you update a table schema, be sure to update any data collection rules that send data to the table. The table schema you define in your data collection rule determines how Azure Monitor streams data to the destination table. Azure Monitor does not update data collection rules automatically when you make table schema changes.

Prerequisites

To create a custom table, you need:

  • A Log Analytics workspace where you have at least contributor rights.

  • A data collection endpoint (DCE).

  • A JSON file with at least one record of sample for your custom table. This will look similar to the following:

    [
  {
    "TimeGenerated": "supported_datetime_format",
    "<column_name_1>": "<column_name_1_value>",
    "<column_name_2>": "<column_name_2_value>"
  },
  {
    "TimeGenerated": "supported_datetime_format",
    "<column_name_1>": "<column_name_1_value>",
    "<column_name_2>": "<column_name_2_value>"
  },
  {
    "TimeGenerated": "supported_datetime_format",
    "<column_name_1>": "<column_name_1_value>",
    "<column_name_2>": "<column_name_2_value>"
  }
]

    All tables in a Log Analytics workspace must have a column named TimeGenerated. If your sample data has a column named TimeGenerated, then this value will be used to identify the ingestion time of the record. If not, a TimeGenerated column will be added to the transformation in your DCR for the table. For information about the TimeGenerated format, see supported datetime formats.

Create a custom table

Azure tables have predefined schemas. To store log data in a different schema, use data collection rules to define how to collect, transform, and send the data to a custom table in your Log Analytics workspace.

Important

Custom tables have a suffix of _CL; for example, tablename_CL. The Azure portal adds the _CL suffix to the table name automatically. When you create a custom table using a different method, you need to add the _CL suffix yourself. The tablename_CL in the DataFlows Streams properties in your data collection rules must match the tablename_CL name in the Log Analytics workspace.

Note

For information about creating a custom table for logs you ingest with the deprecated Log Analytics agent, also known as MMA or OMS, see Collect text logs with the Log Analytics agent.

To create a custom table in the Azure portal:

  1. From the Log Analytics workspaces menu, select Tables.

    Screenshot that shows the Tables screen for a Log Analytics workspace.

  2. Select Create and then New custom log (DCR-based).

    Screenshot showing new DCR-based custom log.

  3. Specify a name and, optionally, a description for the table. You don't need to add the _CL suffix to the custom table's name - this is added automatically to the name you specify in the portal.

  4. Select an existing data collection rule from the Data collection rule dropdown, or select Create a new data collection rule and specify the Subscription, Resource group, and Name for the new data collection rule.

    Screenshot showing new data collection rule.

  5. Select a data collection endpoint and select Next.

    Screenshot showing custom log table name.

  6. Select Browse for files and locate the JSON file with the sample data for your new table.

    Screenshot showing custom log browse for files.

    If your sample data doesn't include a TimeGenerated column, then you will receive a message that a transformation is being created with this column.

  7. If you want to transform log data before ingestion into your table:

    1. Select Transformation editor.

      The transformation editor lets you create a transformation for the incoming data stream. This is a KQL query that runs against each incoming record. Azure Monitor Logs stores the results of the query in the destination table.

      Screenshot showing custom log data preview.

    2. Select Run to view the results.

      Screenshot showing initial custom log data query.

  8. Select Apply to save the transformation and view the schema of the table that's about to be created. Select Next to proceed.

    Screenshot showing custom log final schema.

  9. Verify the final details and select Create to save the custom log.

    Screenshot showing custom log create.

Delete a table

There are several types of tables in Log Analytics and the delete experience is different for each:

  • Azure table -- Can't be deleted. Tables that are part of a solution are removed from workspace when deleting the solution, but data remains in workspace for the duration of the retention policy defined for the tables, or if not exist, for the duration of the retention policy defined in workspace. If the solution is re-created in the workspace, these tables and previously ingested data become visible again. To avoid charges, define retention policy for tables in solutions to minimum (4-days) before deleting the solution.
  • Restored table (table_RST) -- Deletes the hot cache provisioned for the restore, but source table data isn't deleted.
  • Search results table (table_SRCH) -- Deletes the table and data immediately and permanently.
  • Custom log table (table_CL) -- Deletes the table definition immediately, but data remains in workspace for the duration of the retention policy defined for the table, or workspace. The retention policy for table is removed in 14-days and workspace retention governs. If custom log table is created with the same name and schema, the table and previously ingested data become visible again. To avoid charges and remove data from table, define retention policy for table to minimum (4-days) before deleting the table.

To delete a table from the Azure portal:

  1. From the Log Analytics workspace menu, select Tables.

  2. Search for the tables you want to delete by name, or by selecting Search results in the Type field.

    Screenshot that shows the Tables screen for a Log Analytics workspace with the Filter by name and Type fields highlighted.

  3. Select the table you want to delete, select the ellipsis ( ... ) to the right of the table, select Delete, and confirm the deletion by typing yes.

    Screenshot that shows the Delete Table screen for a table in a Log Analytics workspace.

Add or delete a custom column

You can modify the schema of custom tables and add custom columns to, or delete columns from, a standard table.

Note

Column names must start with a letter and can consist of up to 45 alphanumeric characters and underscores (_). _ResourceId, id, _ResourceId, _SubscriptionId, TenantId, Type, UniqueId, and Title are reserved column names.

To add a custom column to a table in your Log Analytics workspace, or delete a column:

  1. From the Log Analytics workspaces menu, select Tables.

  2. Select the ellipsis ( ... ) to the right of the table you want to edit and select Edit schema. This opens the Schema Editor screen.

  3. Scroll down to the Custom Columns section of the Schema Editor screen.

    Screenshot showing the Schema Editor screen with the Add a column and Delete buttons highlighted.

  4. To add a new column:

    1. Select Add a column.
    2. Set the column name and description (optional), and select the expected value type from the Type dropdown.
    3. Select Save to save the new column.

  5. To delete a column, select the Delete icon to the left of the column you want to delete.

Next steps

Learn more about: