Restore logs in Azure Monitor

The restore operation makes a specific time range of data in a table available in the hot cache for high-performance queries. This article describes how to restore data, query that data, and then dismiss the data when you're done.

When to restore logs

Use the restore operation to query data in Archived Logs. You can also use the restore operation to run powerful queries within a specific time range on any Analytics table when the log queries you run on the source table can't complete within the log query timeout of 10 minutes.

Note

Restore is one method for accessing archived data. Use restore to run queries against a set of data within a particular time range. Use Search jobs to access data based on specific criteria.

What does restore do?

When you restore data, you specify the source table that contains the data you want to query and the name of the new destination table to be created.

The restore operation creates the restore table and allocates additional compute resources for querying the restored data using high-performance queries that support full KQL.

The destination table provides a view of the underlying source data, but doesn't affect it in any way. The table has no retention setting, and you must explicitly dismiss the restored data when you no longer need it.

Restore data

API

To restore data from a table, call the Tables - Create or Update API. The name of the destination table must end with _RST.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/tables/{user defined name}_RST?api-version=2021-12-01-preview

Request body

The body of the request must include the following values:

Name	Type	Description
properties.restoredLogs.sourceTable	string	Table with the data to restore.
properties.restoredLogs.startRestoreTime	string	Start of the time range to restore.
properties.restoredLogs.endRestoreTime	string	End of the time range to restore.

Restore table status

The provisioningState property indicates the current state of the restore table operation. The API returns this property when you start the restore, and you can retrieve this property later using a GET operation on the table. The provisioningState property has one of the following values:

Value	Description
Updating	Restore operation in progress.
Succeeded	Restore operation completed.
Deleting	Deleting the restored table.

Sample request

This sample restores data from the month of January 2020 from the Usage table to a table called Usage_RST.

Request

PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-00000000000/resourcegroups/testRG/providers/Microsoft.OperationalInsights/workspaces/testWS/tables/Usage_RST?api-version=2021-12-01-preview

Request body:

{
    "properties":  {
    "restoredLogs":  {
                      "startRestoreTime":  "2020-01-01T00:00:00Z",
                      "endRestoreTime":  "2020-01-31T00:00:00Z",
                      "sourceTable":  "Usage"
    }
  }
}

CLI

To restore data from a table, run the az monitor log-analytics workspace table restore create command.

For example:

az monitor log-analytics workspace table restore create --subscription ContosoSID --resource-group ContosoRG  --workspace-name ContosoWorkspace --name Heartbeat_RST --restore-source-table Heartbeat --start-restore-time "2022-01-01T00:00:00.000Z" --end-restore-time "2022-01-08T00:00:00.000Z" --no-wait

Query restored data

Restored logs retain their original timestamps. When you run a query on restored logs, set the query time range based on when the data was originally generated.

Set the query time range by either:

• Selecting Custom in the Time range dropdown at the top of the query editor and setting From and To values.
  
  or

• Specifying the time range in the query. For example:

  let startTime =datetime(01/01/2022 8:00:00 PM);
  let endTime =datetime(01/05/2022 8:00:00 PM);
  TableName_RST
  | where TimeGenerated between(startTime .. endTime)
  

Dismiss restored data

To save costs, we recommend you delete the restored table to dismiss restored data when you no longer need it.

Deleting the restored table doesn't delete the data in the source table.

Note

Restored data is available as long as the underlying source data is available. When you delete the source table from the workspace or when the source table's retention period ends, the data is dismissed from the restored table. However, the empty table will remain if you do not delete it explicitly.

Limitations

Restore is subject to the following limitations.

You can:

• Restore data for a minimum of two days.
• Restore up to 60 TB.
• Run up to two restore processes in a workspace concurrently.
• Run only one active restore on a specific table at a given time. Executing a second restore on a table that already has an active restore will fail.
• Perform up to four restores per table per week.

Pricing model

The charge for maintaining restored logs is calculated based on the volume of data you restore, in GB, and the number or days for which you restore the data. Charges are prorated and subject to the minimum restore duration and data volume. There is no charge for querying against restored logs.

For example, if your table holds 500 GB a day and you restore 10 days of data, you'll be charged for 5000 GB a day until you dismiss the restored data.

Note

Billing of restore is not yet enabled. You can restore logs for free until early 2023.

For more information, see Azure Monitor pricing.

Next steps

• Learn more about data retention and archiving data.
• Learn about Search jobs, which is another method for retrieving archived data.