I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this!
Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer. Accepted answers show up at the top, resulting in improved discoverability for others.
Issue: How to enable the ADLS access logs via the modern Diagnostic Settings to bring them into Log Analytics?
Solution: Customer shared - "With the help of Microsoft Support we found the root cause why StorageDelete
Events aren't logged to Log Analytics. In my case the Log Analytics Workspace was using a Data Collection Rule Transformation with a KQL
Query that filtered specific API Operations.
The KQL Transformation looked like this:
source
| where OperationName in ("PutBlob", "PutBlock")
| extend [...]
so, the Diagnostic Settings
were correctly sending the events to log analytics, but due to the filter in the transformation query only StorageWrite
operations ended up in the StorageBlobLogs
table."
If your issue remains unresolved or have further questions, please let us know in the comments how we can assist. We are here to help you and strive to make your experience better and greatly value your feedback.