Skip to main content
Jorge Bernhardt Jorge Bernhardt
  1. Posts/

How to manage Log Analytics tables using the Azure CLI

·907 words·5 mins· 100 views · 5 likes ·
Azure CLI Azure Cloud Shell Azure Monitor Log Analytics

Microsoft last month announced the general availability of a new experience for managing Azure Log Analytics table metadata from the Azure portal. So I think it’s an excellent time to see how to view and edit table properties in Log Analytics workspaces using the Azure CLI and check how these changes are reflected in the Azure portal. Some concepts that we must keep in mind before starting.

  • Basic log data plan
    • Data retention is fixed: eight days.
    • It allows you to perform basic queries using a limited version of the query language.
    • It is ideal for debugging, troubleshooting, and auditing.
    • Not support alerts.
  • Analytics log dataplan
    • You can choose data retention from 30 days to 730 days.
    • You can use all the capabilities of the query language.
    • It is ideal for data analysis.
    • Supports alerts.
  • Interactive retention (also known as retention time)
    • It is the period in which the data will be available for interactive queries.
  • Total retention period
    • It is the sum of the interactive and archive periods.
Prerequisites>

Prerequisites #

  • This tutorial assumes that you already have a Log Analytics Workspace. You can use an existing Workspace, or if you want to create a new one, check out this link.
Azure CLI Workaround>

Azure CLI Workaround #

I use the Bash environment in Azure Cloud Shell, but you can execute the CLI commands locally. You must install the Azure CLI on your computer and log in to the Azure CLI with the az login command. Once logged in, I define the variables with the names of the resources to make the commands easier to read.

resourceGroupName="RG-DEMO-HUB"
workspaceName="LAW-DEMO-HUB"
List all the tables in your Log Analytics workspace>

List all the tables in your Log Analytics workspace #

First, we will use the following command to list all the current tables in our log analytics workspace.

az monitor log-analytics workspace table list \
--resource-group $resourceGroupName \
--workspace-name $workspaceName \
--output table
Get the properties of a Log Analytics workspace table>

Get the properties of a Log Analytics workspace table #

Once you know all the tables available in your log analytics workspace, you can view the information for a specific table using the following command.

az monitor log-analytics workspace table show \
--name Perf \
--resource-group $resourceGroupName \
--workspace-name $workspaceName \
--output table
Update the properties of a system table>

Update the properties of a system table #

To change the data retention settings of a system table, you should use the following command.

az monitor log-analytics workspace table update \
--name Alert \
--resource-group $resourceGroupName \
--workspace-name $workspaceName \
--retention-time 180 \
--total-retention-time 360

Important: Note that by default, the retention settings for system tables are the settings set at the log analysis workspace level.

Create a restore logs table>

Create a restore logs table #

You can create a table based on information from another table by defining a time range. To do this, you should use the following command.

az monitor log-analytics workspace table restore create \
--end-restore-time "2022-12-15" \
--name AzureDiagnostics_RST \
--resource-group $resourceGroupName \
--restore-source-table AzureDiagnostics \
--start-restore-time "2022-12-01" \
--workspace-name $workspaceName

Important: All restore tables must have the subfix “_RST” in the table name, as shown in the example above.

Create a custom log table>

Create a custom log table #

Creating custom tables allows you to define a table schema, a log data plan, and a retention period. You should use the following command to create a custom table in your log analytics workspace.

az monitor log-analytics workspace table create \
--name AnalyticsCustomTable_CL \
--resource-group $resourceGroupName \
--workspace-name $workspaceName \
--columns column01=string column02=real TimeGenerated=datetime \
--description "My Demo table" \
--plan Analytics \
--retention-time 7 \
--total-retention-time 30

Important: All custom tables must have the subfix “_CL” in the table name, as shown in the example above. Creating a table with the basic log plan is done the same way, with some limitations regarding data retention.

az monitor log-analytics workspace table create \
--name BasicCustomTable_CL \
--resource-group $resourceGroupName \
--workspace-name $workspaceName \
--columns column01=string column02=real TimeGenerated=datetime \
--description "My Basic Demo table" \
--plan Basic \
--total-retention-time 30

Important: note that the table schema must have a mandatory column, ‘TimeGenerated.’

List all custom tables in your Log Analytics workspace>

List all custom tables in your Log Analytics workspace #

To obtain a list with all the tables created by you, you can use the following command.

az monitor log-analytics workspace table list \
--resource-group $resourceGroupName \
--workspace-name $workspaceName \
--query "[].{Name:name, Plan:plan, Description:schema.description,ProvisioningState:provisioningState,RetentionInDays:retentionInDays} | \
[? contains(Name,'_CL')]" \
--output table

log analytics table

Update the properties of a custom table>

Update the properties of a custom table #

If you want to modify a custom table, you should use the following command.

az monitor log-analytics workspace table update \
--name $basicTableName \
--resource-group $resourceGroupName \
--workspace-name $workspaceName \
--description "My new Analytics Demo table" \
--plan Analytics \
--retention-time 7 \
--total-retention-time 30

Important: Please note that the table plan change is limited to once a week.

Delete a table from your Log Analytics workspace>

Delete a table from your Log Analytics workspace #

Finally, you should use the following command to delete a table from your log analytics workspace.

az monitor log-analytics workspace table delete \
--name $analyticsTableName \
--resource-group $resourceGroupName \
--workspace-name $workspaceName \
--yes

Thanks for reading my post. I hope you find it helpful.

Check out this link for more information about Manage tables in a Log Analytics workspace.