Add or delete tables and columns in Azure Monitor Logs
Data collection rules let you filter and transform log data before sending the data to an Azure table or a custom table. This article explains how to create custom tables and add custom columns to tables in your Log Analytics workspace.
Prerequisites
To create a custom table, you need:
A Log Analytics workspace where you have at least contributor rights.
A JSON file with the schema of your custom table in the following format:
[ { "TimeGenerated": "supported_datetime_format", "<column_name_1>": "<column_name_1_value>", "<column_name_2>": "<column_name_2_value>" } ]
For information about the
TimeGenerated
format, see supported datetime formats.
Create a custom table
Azure tables have predefined schemas. To store log data in a different schema, use data collection rules to define how to collect, transform, and send the data to a custom table in your Log Analytics workspace.
Note
For information about creating a custom table for logs you ingest with the deprecated Log Analytics agent, also known as MMA or OMS, see Collect text logs with the Log Analytics agent.
To create a custom table in the Azure portal:
From the Log Analytics workspaces menu, select Tables.
Select Create and then New custom log (DCR-based).
Specify a name and, optionally, a description for the table. You don't need to add the _CL suffix to the custom table's name - this is added automatically to the name you specify in the portal.
Select an existing data collection rule from the Data collection rule dropdown, or select Create a new data collection rule and specify the Subscription, Resource group, and Name for the new data collection rule.
Select a data collection endpoint and select Next.
Select Browse for files and locate the JSON file in which you defined the schema of your new table.
All log tables in Azure Monitor Logs must have a
TimeGenerated
column populated with the timestamp of the logged event.If you want to transform log data before ingestion into your table:
Select Apply to save the transformation and view the schema of the table that's about to be created. Select Next to proceed.
Verify the final details and select Create to save the custom log.
Delete a table
You can delete any table in your Log Analytics workspace that's not an Azure table.
Note
Deleting a restored table doesn't delete the data in the source table.
To delete a table from the Azure portal:
From the Log Analytics workspace menu, select Tables.
Search for the tables you want to delete by name, or by selecting Search results in the Type field.
Select the table you want to delete, select the ellipsis ( ... ) to the right of the table, select Delete, and confirm the deletion by typing yes.
Add or delete a custom column
You can modify the schema of custom tables and add custom columns to, or delete columns from, a standard table.
Note
Column names must start with a letter and can consist of up to 45 alphanumeric characters and the characters _
and -
. The following are reserved column names: Type
, TenantId
, resource
, resourceid
, resourcename
, resourcetype
, subscriptionid
, tenanted
.
To add a custom column to a table in your Log Analytics workspace, or delete a column:
From the Log Analytics workspaces menu, select Tables.
Select the ellipsis ( ... ) to the right of the table you want to edit and select Edit schema. This opens the Schema Editor screen.
Scroll down to the Custom Columns section of the Schema Editor screen.
To add a new column:
- Select Add a column.
- Set the column name and description (optional), and select the expected value type from the Type dropdown.
- Select Save to save the new column.
To delete a column, select the Delete icon to the left of the column you want to delete.
Next steps
Learn more about:
Feedback
Submit and view feedback for