Managing Azure Monitor Logs in Azure CLI
Use the Azure CLI commands described here to manage your log analytics workspace in Azure Monitor.
Prerequisites
Use the Bash environment in Azure Cloud Shell. For more information, see Quickstart for Bash in Azure Cloud Shell.
If you prefer to run CLI reference commands locally, install the Azure CLI. If you're running on Windows or macOS, consider running Azure CLI in a Docker container. For more information, see How to run the Azure CLI in a Docker container.
If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For other sign-in options, see Sign in with the Azure CLI.
When you're prompted, install the Azure CLI extension on first use. For more information about extensions, see Use extensions with the Azure CLI.
Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.
Create a workspace for Monitor Logs
Run the az group create command to create a resource group or use an existing resource group. To create a workspace, use the az monitor log-analytics workspace create command.
az group create --name ContosoRG --location eastus2
az monitor log-analytics workspace create --resource-group ContosoRG \
--workspace-name ContosoWorkspace
For more information about workspaces, see Azure Monitor Logs overview.
List tables in your workspace
Each workspace contains tables with columns that have multiple rows of data. Each table is defined by a unique set of columns of data provided by the data source.
To see the tables in your workspace, use the az monitor log-analytics workspace table list command:
az monitor log-analytics workspace table list --resource-group ContosoRG \
--workspace-name ContosoWorkspace --output table
The output value table presents the results in a more readable format. For more information, see Output formatting.
To change the retention time for a table, run the az monitor log-analytics workspace table update command:
az monitor log-analytics workspace table update --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name Syslog --retention-time 45
The retention time is between 30 and 730 days.
For more information about tables, see Data structure.
Delete a table
You can delete Custom Log, Search Results and Restored Logs tables.
To delete a table, run the az monitor log-analytics workspace table delete command:
az monitor log-analytics workspace table delete –subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name MySearchTable_SRCH
Export data from selected tables
You can continuously export data from selected tables to an Azure storage account or Azure Event Hubs. Use the az monitor log-analytics workspace data-export create command:
az monitor log-analytics workspace data-export create --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name DataExport --table Syslog \
--destination /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Storage/storageAccounts/exportaccount \
--enable
To see your data exports, run the az monitor log-analytics workspace data-export list command.
az monitor log-analytics workspace data-export list --resource-group ContosoRG \
--workspace-name ContosoWorkspace --output table
To delete a data export, run the az monitor log-analytics workspace data-export delete command. The --yes parameter skips confirmation.
az monitor log-analytics workspace data-export delete --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name DataExport --yes
For more information about data export, see Log Analytics workspace data export in Azure Monitor.
Manage a linked service
Linked services define a relation from the workspace to another Azure resource. Azure Monitor Logs and Azure resources use this connection in their operations. Example uses of linked services, including an automation account and a workspace association to customer-managed keys.
To create a linked service, run the az monitor log-analytics workspace linked-service create command:
az monitor log-analytics workspace linked-service create --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name linkedautomation \
--resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Web/sites/ContosoWebApp09
az monitor log-analytics workspace linked-service list --resource-group ContosoRG \
--workspace-name ContosoWorkspace
To remove a linked service relation, run the az monitor log-analytics workspace linked-service delete command:
az monitor log-analytics workspace linked-service delete --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name linkedautomation
For more information, see az monitor log-analytics workspace linked-service.
Manage linked storage
If you provide and manage your own storage account for log analytics, you can manage it with these Azure CLI commands.
To link your workspace to a storage account, run the az monitor log-analytics workspace linked-storage create command:
az monitor log-analytics workspace linked-storage create --resource-group ContosoRG \
--workspace-name ContosoWorkspace \
--storage-accounts /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Storage/storageAccounts/contosostorage \
--type Alerts
az monitor log-analytics workspace linked-storage list --resource-group ContosoRG \
--workspace-name ContosoWorkspace --output table
To remove the link to a storage account, run the az monitor log-analytics workspace linked-storage delete command:
az monitor log-analytics workspace linked-storage delete --resource-group ContosoRG \
--workspace-name ContosoWorkspace --type Alerts
For more information, see, Using customer-managed storage accounts in Azure Monitor Log Analytics.
Manage intelligence packs
To see the available intelligence packs, run the az monitor log-analytics workspace pack list command. The command also tells you whether the pack is enabled.
az monitor log-analytics workspace pack list --resource-group ContosoRG \
--workspace-name ContosoWorkspace
Use the az monitor log-analytics workspace pack enable or az monitor log-analytics workspace pack disable commands:
az monitor log-analytics workspace pack enable --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name NetFlow
az monitor log-analytics workspace pack disable --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name NetFlow
Manage saved searches
To create a saved search, run the az monitor log-analytics workspace saved-search command:
az monitor log-analytics workspace saved-search create --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name SavedSearch01 \
--category "Log Management" --display-name SavedSearch01 \
--saved-query "AzureActivity | summarize count() by bin(TimeGenerated, 1h)" --fa Function01 --fp "a:string = value"
View your saved search by using the az monitor log-analytics workspace saved-search show command. See all saved searches by using az monitor log-analytics workspace saved-search list.
az monitor log-analytics workspace saved-search show --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name SavedSearch01
az monitor log-analytics workspace saved-search list --resource-group ContosoRG \
--workspace-name ContosoWorkspace
To delete a saved search, run the az monitor log-analytics workspace saved-search delete command:
az monitor log-analytics workspace saved-search delete --resource-group ContosoRG \
--workspace-name ContosoWorkspace --name SavedSearch01 --yes
Clean up deployment
If you created a resource group to test these commands, you can remove the resource group and all its contents by using the az group delete command:
az group delete --name ContosoRG
If you want to remove a new workspace from an existing resource group, run the az monitor log-analytics workspace delete command:
az monitor log-analytics workspace delete --resource-group ContosoRG
--workspace-name ContosoWorkspace --yes
Log analytics workspaces have a soft delete option. You can recover a deleted workspace for two weeks after deletion. Run the az monitor log-analytics workspace recover command:
az monitor log-analytics workspace recover --resource-group ContosoRG
--workspace-name ContosoWorkspace
In the delete command, add the --force parameter to delete the workspace immediately.
Azure CLI commands used in this article
- az group create
- az group delete
- az monitor log-analytics workspace create
- az monitor log-analytics workspace data-export create
- az monitor log-analytics workspace data-export delete
- az monitor log-analytics workspace data-export list
- az monitor log-analytics workspace delete
- az monitor log-analytics workspace linked-service create
- az monitor log-analytics workspace linked-service delete
- az monitor log-analytics workspace linked-storage create
- az monitor log-analytics workspace linked-storage delete
- az monitor log-analytics workspace pack disable
- az monitor log-analytics workspace pack enable
- az monitor log-analytics workspace pack list
- az monitor log-analytics workspace recover
- az monitor log-analytics workspace saved-search delete
- az monitor log-analytics workspace saved-search list
- az monitor log-analytics workspace saved-search show
- az monitor log-analytics workspace saved-search
- az monitor log-analytics workspace table list
- az monitor log-analytics workspace table update
Next steps
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for