Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Delete Data API lets you make asynchronous requests to remove data, such as sensitive, personal, corrupt, or incorrect log entries.
This article explains how to delete log entries from a specific table in your Log Analytics workspace by calling the Delete Data API.
The Delete Data API is ideal for unplanned deletions of individual records. For example, when you discover that corrupt telemetry data was ingested to the workspace and you want to prevent it from skewing query results. The Delete Data API mark records that meet the specified filter criteria as deleted without physically removing them from storage.
To specify which rows of the table you want to delete, you send one or more filters in the body of the API call.
The deletion process is final and irreversible. Therefore, before calling the API, check that your filters produce the intended results by running a query in your workspace, using the Kusto Query Language (KQL) where operator.
For example, to delete data from the AzureMetrics table based on a TimeGenerated value:
You might send this filter in the body of your API call:
{ "filters": [ { "column": "TimeGenerated", "operator": "==", "value": "2024-09-23T00:00:00" } ] }Check that your filter returns the entry you want to delete by running this query in your Log Analytics workspace:
AzureMetrics | where TimeGenerated == "2024-09-23T00:00:00"
Delete data requests are asynchronous and typically completed within a few minutes. In extreme cases, a request might be queued up to five days.
| Action | Permissions required |
|---|---|
| Delete data from a table in a Log Analytics workspace | Microsoft.OperationalInsights/workspaces/tables/deleteData/action permissions to the Log Analytics workspace, as provided by the Log Analytics Contributor built-in role, for example |
- You can submit up to 10 Delete Data requests per hour in a single Log Analytics workspace.
- The Analytics table plan supports data deletion. To delete data from a table with the Basic plan, change the plan to Analytics and then delete the data. The Auxiliary plan doesn't support data deletion.
- Delete-data doesn't affect retention billing. Retention charge is governed by the retention period configured in tables, or your workspace.
To delete rows from a table, use this command:
POST https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/resourceGroups/{resourcegroup}/providers/Microsoft.OperationalInsights/workspaces/{workspace_name}/tables/{table_name}/deleteData?api-version=2023-09-01
Authorization: Bearer eyJ0e...
Specify one or more filters in the body of the API call. This example filters on the TimeGenerated and Resource columns:
{
"filters": [
{
"column": "TimeGenerated",
"operator": "==",
"value": "2024-09-23T00:00:00"
},
{
"column": "Resource",
"operator": "==",
"value": "VM-1"
}
]
}
| Name | Description |
|---|---|
column |
The name of the column in the destination table on which to apply the filter. |
operator |
The supported operators are ==, =~, in, in~, >, >=, <, <=, between. |
value |
The value to filter by, in the supported format. The value can be a specific date, string, or other data type depending on the column. |
| Response | Description |
|---|---|
| 202 (accepted) | Asynchronous request received successfully. To check whether your operation succeeded or failed, use the Azure-AsyncOperation URL provided in the response header. |
| Other status codes | Error response describing why the operation failed. |
You can track data deletion activities in a workspace through the Azure Activity Log. In the Log Analytics workspace menu within the Azure portal, choose Activity Log and find Delete Data from log analytics workspace events. Select an event and open it in JSON format for details such as number of records deleted, caller, and message.
To check the status of your operation and view the number of deleted records, send a GET request with the Azure-AsyncOperation URL provided in the response header:
GET https://management.chinacloudapi.cn/subscriptions/{subscriptionId}/providers/Microsoft.OperationalInsights/locations/{region}/operationstatuses/{responseOperation}?api-version=2023-09-01
Authorization: Bearer eyJ0e...
{
"id": "/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.OperationalInsights/locations/chinanorth2/operationstatuses/00000000-0000-0000-0000-000000001234",
"name": "00000000-0000-0000-0000-000000001234",
"status": "Succeeded",
"startTime": "2024-11-04T09:31:41.689659Z",
"endTime": "2024-11-04T09:36:49.0252644Z",
"properties": {
"RecordCount": 234812,
"Status": "Completed"
}
}
For more information, see Track asynchronous Azure operations.
Learn how to: