Share via

Data Collection Rule Transformation Not Filtering Events in Log Analytics

SwathiDhanwada-MSFT 19,073 Reputation points Moderator
2024-08-01T06:11:05.0666667+00:00

Why is my Data Collection Rule (DCR) transformation having no effect on filtering events in my Log Analytics workspace?

PS - Based on common issues that we have seen from customers and other sources, we are posting these questions to help the Azure community.

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SwathiDhanwada-MSFT 19,073 Reputation points Moderator
    2024-08-01T06:11:47.7433333+00:00

    The problem arises because the transformKql parameter is missing from our Data Collection Rule (DCR). This parameter is crucial for filtering events as intended. To fix this, you need to add the transformKql parameter under the dataFlows section in your DCR.

    Follow these steps to update your DCR using PowerShell:

    1. Review your DCR to confirm the absence of the transformKql parameter under dataFlows.
    2. If it is not present, create the transformKql parameter under the dataFlows section.
    3. Use the following documentation for detailed instructions on editing DCRs and applying a DCR template: Editing Data Collection Rules

    After updating your DCR with the transformKql parameter, the transformation should work as expected, and the events will be filtered accordingly in Log Analytics workspace.

    Please do not forget to "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.