Create a Log Analytics workspace

  • Article

A Log Analytics workspace is a data store into which you can collect any type of log data from all of your Azure and non-Azure resources and applications. We recommend that you send all log data to one Log Analytics workspace, unless you have specific business needs that require you to create multiple workspaces, as described in Design a Log Analytics workspace architecture.

This article explains how to create a Log Analytics workspace.

Prerequisites

To create a Log Analytics workspace, you need an Azure account with an active subscription. You can create an account for free.

Permissions required

You need Microsoft.OperationalInsights/workspaces/write permissions to the resource group where you want to create the Log Analytics workspace, as provided by the Log Analytics Contributor built-in role, for example.

Create a workspace

The following sample uses the Microsoft.OperationalInsights workspaces template to create a Log Analytics workspace in Azure Monitor. For more information about Azure Resource Manager templates, see Azure Resource Manager templates.

Note

See Azure Resource Manager samples for Azure Monitor for a list of samples that are available and guidance on deploying them in your Azure subscription.

Template file

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string",
      "metadata": {
        "description": "Name of the workspace."
      }
    },
    "sku": {
      "type": "string",
      "defaultValue": "pergb2018",
      "allowedValues": [
        "pergb2018",
        "Free",
        "Standalone",
        "PerNode",
        "Standard",
        "Premium"
      ],
      "metadata": {
        "description": "Pricing tier: PerGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers."
      }
    },
    "location": {
      "type": "string",
      "metadata": {
        "description": "Specifies the location for the workspace."
      }
    },
    "retentionInDays": {
      "type": "int",
      "defaultValue": 120,
      "metadata": {
        "description": "Number of days to retain data."
      }
    },
    "resourcePermissions": {
      "type": "bool",
      "metadata": {
        "description": "true to use resource or workspace permissions. false to require workspace permissions."
      }
    },
    "heartbeatTableRetention": {
      "type": "int",
      "metadata": {
        "description": "Number of days to retain data in Heartbeat table."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2023-09-01",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]",
      "properties": {
        "sku": {
          "name": "[parameters('sku')]"
        },
        "retentionInDays": "[parameters('retentionInDays')]",
        "features": {
          "enableLogAccessUsingOnlyResourcePermissions": "[parameters('resourcePermissions')]"
        }
      }
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/tables",
      "apiVersion": "2022-10-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'Heartbeat')]",
      "properties": {
        "retentionInDays": "[parameters('heartbeatTableRetention')]"
      },
      "dependsOn": [
        "workspace"
      ]
    }
  ]
}

Note

If you specify a pricing tier of Free, then remove the retentionInDays element.

Parameter file

{
  "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "sku": {
      "value": "pergb2018"
    },
    "location": {
      "value": "chinaeast2"
    },
    "resourcePermissions": {
      "value": true
    },
    "heartbeatTableRetention": {
      "value": 30
    }
  }
}

Troubleshooting

When you create a workspace that was deleted in the last 14 days and in soft-delete state, the operation could have a different outcome depending on your workspace configuration:

  1. If you provide the same workspace name, resource group, subscription, and region as in the deleted workspace, your workspace will be recovered including its data, configuration, and connected agents.

  2. Workspace names must be unique for a resource group. If you use a workspace name that already exists, or is soft deleted, an error is returned. To permanently delete your soft-deleted name and create a new workspace with the same name, follow these steps:

    1. Recover your workspace.
    2. Permanently delete your workspace.
    3. Create a new workspace by using the same workspace name.

Next steps

Now that you have a workspace available, you can configure collection of monitoring telemetry, run log searches to analyze that data, and add a management solution to provide more data and analytic insights. To learn more: