Duplicate Workspace tables with custom transformations

Question

I have the following problem:

We have a Kubernetes cluster which writes data to the ContainerLogV2 table. There are different containers running in the cluster so the log format depends on the individual pod. Inside Log Analytics Workplace I can only set up a transformation rule for the whole table. What I ideally want: Individual transformation rules applied to the incoming data writing it depending on the application to different tables. How can I achieve this?

Answer 1

Correct me if I am wrong...

Transformation required a DCR rule and I don't think you can create a DCR for diagnostic data (yet).

I think you could have DCRs directing the same data to two tables, each with its own transformation. If and when DCR works with diagnostic data.

Though with KQL it should not matter significantly to have the data in the same table unless you need table-level RBAC.

Answer 2

@Goennenwein, Philipp Welcome to Microsoft Q & A Community Forum and thanks for your query. Adding further information to Andrew answer, yes, it's possible to send data to multiple destinations in a Log Analytics workspace by using a single DCR. You provide a KQL query for each destination, and the results of each query are sent to their corresponding location. You can send different sets of data to different tables or use multiple queries to send different sets of data to the same table.

To use multiple destinations, you must currently either manually create a new DCR or edit an existing one. See the Samples section of this document for examples of DCRs that use multiple destinations.