Log analytics moving resources

Carolina Zamisnicu 316 Reputation points
2021-10-14T11:43:27.417+00:00

Hello,

Currently I have two Log Analytics workspaces with default names in my subscription. I want to organise my environment to have a clear visibility over my resources, so I decided that, in the end, I want two log analytics workspaces: one for production and one for testing purposes.
I want this granularity so I can then come and set up my Azure Defender only for production resources.
Now, my questions are, as I clearly know that I cannot change the name of the workspace and the resources within it, how can I see which resources are using that particular workspace, how can I migrate them to a new workspace, how will this impact my production environment and lastly how can I delete the "old" workspaces after I created the new ones .
Can you guide my through this process?
Thank you!

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
2,800 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. bharathn-msft 5,086 Reputation points Microsoft Employee
    2021-10-22T04:16:33.97+00:00

    <<Sharing the information from comments to here for broader community users>>

    @Carolina Zamisnicu - Thank you for your query. Please review the below information and let us know if you have any queries.

    Data migration between workspaces isn't supported in the product. You can use custom mechanism like Logic App to query and send data to another workspace, but that would change the schemas as data would appear as custom log. The most practical way, although not simple, is to create a new workspace and connect sources to it to start gaining data. Query can be performed across-workspaces for intermediate time where data is in both workspaces.

    Resources can send logs to Azure Diagnostics or dedicated tables in your workspace. Please use below query to find out the resources that send data to the AzureDiagnostics table. 

     AzureDiagnostics  
 | where TimeGenerated > ago(24h)  
 | summarize by  ResourceProvider , ResourceType, Resource  
 | sort by ResourceProvider, ResourceType

    Run this query for resources that send data to dedicated tables: 

     search *  
 | where TimeGenerated > ago(12h)  
 | where isnotnull(_ResourceId)  
 | extend ResourceProvider = split(_ResourceId, '/')[6]  
 | where ResourceProvider !in ('microsoft.compute', 'microsoft.security')  
 | extend ResourceType = split(_ResourceId, '/')[7]  
 | extend Resource = split(_ResourceId, '/')[8]  
 | summarize by tostring(ResourceProvider) , tostring(ResourceType), tostring(Resource)  
 | sort by ResourceProvider, ResourceType

    Hope the information helps.

    0 comments