Add or delete tables and columns in Azure Monitor Logs

Data collection rules let you filter and transform log data before sending the data to an Azure table or a custom table. This article explains how to create custom tables and add custom columns to tables in your Log Analytics workspace.

Prerequisites

To create a custom table, you need:

• A Log Analytics workspace where you have at least contributor rights.

• A data collection endpoint (DCE).

• A JSON file with the schema of your custom table in the following format:

  [
    {
      "TimeGenerated": "supported_datetime_format",
      "<column_name_1>": "<column_name_1_value>",
      "<column_name_2>": "<column_name_2_value>"
    }
  ]
  

  For information about the TimeGenerated format, see supported datetime formats.

Create a custom table

Azure tables have predefined schemas. To store log data in a different schema, use data collection rules to define how to collect, transform, and send the data to a custom table in your Log Analytics workspace.

Note

For information about creating a custom table for logs you ingest with the deprecated Log Analytics agent, also known as MMA or OMS, see Collect text logs with the Log Analytics agent.

Portal

To create a custom table in the Azure portal:

1. From the Log Analytics workspaces menu, select Tables.

   

2. Select Create and then New custom log (DCR-based).

   

3. Specify a name and, optionally, a description for the table. You don't need to add the _CL suffix to the custom table's name - this is added automatically to the name you specify in the portal.

4. Select an existing data collection rule from the Data collection rule dropdown, or select Create a new data collection rule and specify the Subscription, Resource group, and Name for the new data collection rule.

   

5. Select a data collection endpoint and select Next.

   

6. Select Browse for files and locate the JSON file in which you defined the schema of your new table.

   

   All log tables in Azure Monitor Logs must have a TimeGenerated column populated with the timestamp of the logged event.

7. If you want to transform log data before ingestion into your table:

   1. Select Transformation editor.

      The transformation editor lets you create a transformation for the incoming data stream. This is a KQL query that runs against each incoming record. Azure Monitor Logs stores the results of the query in the destination table.

      

   2. Select Run to view the results.

      

8. Select Apply to save the transformation and view the schema of the table that's about to be created. Select Next to proceed.

   

9. Verify the final details and select Create to save the custom log.

   

API

To create a custom table, call the Tables - Create Or Update API.

CLI

To create a custom table, run the az monitor log-analytics workspace table create command.

PowerShell

Use the Tables - Update PATCH API to create a custom table with the PowerShell code below. This code creates a table called MyTable_CL with two columns. Modify this schema to collect a different table.

Important

Custom tables have a suffix of _CL; for example, tablename_CL. The tablename_CL in the DataFlows Streams must match the tablename_CL name in the Log Analytics workspace.

1. Select the Cloud Shell button in the Azure portal and ensure the environment is set to PowerShell.

   

2. Copy the following PowerShell code and replace the Path parameter with the appropriate values for your workspace in the Invoke-AzRestMethod command. Paste it into the Cloud Shell prompt to run it.

   $tableParams = @'
   {
       "properties": {
           "schema": {
               "name": "MyTable_CL",
               "columns": [
                   {
                       "name": "TimeGenerated",
                       "type": "DateTime"
                   }, 
                   {
                       "name": "RawData",
                       "type": "String"
                   }
               ]
           }
       }
   }
   '@
   
   Invoke-AzRestMethod -Path "/subscriptions/{subscription}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspace}/tables/MyTable_CL?api-version=2021-12-01-preview" -Method PUT -payload $tableParams
   

Delete a table

You can delete any table in your Log Analytics workspace that's not an Azure table.

Note

Deleting a restored table doesn't delete the data in the source table.

Portal

To delete a table from the Azure portal:

1. From the Log Analytics workspace menu, select Tables.

2. Search for the tables you want to delete by name, or by selecting Search results in the Type field.

   

3. Select the table you want to delete, select the ellipsis ( ... ) to the right of the table, select Delete, and confirm the deletion by typing yes.

   

API

To delete a table, call the Tables - Delete API.

CLI

To delete a table, run the az monitor log-analytics workspace table delete command.

PowerShell

To delete a table using PowerShell:

1. Select the Cloud Shell button in the Azure portal and ensure the environment is set to PowerShell.

   

2. Copy the following PowerShell code and replace the Path parameter with the appropriate values for your workspace in the Invoke-AzRestMethod command. Paste it into the Cloud Shell prompt to run it.

   Invoke-AzRestMethod -Path "/subscriptions/{subscription}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspace}/tables/NewCustom_CL?api-version=2021-12-01-preview" -Method DELETE
   

Add or delete a custom column

You can modify the schema of custom tables and add custom columns to, or delete columns from, a standard table.

Note

Column names must start with a letter and can consist of up to 45 alphanumeric characters and the characters _ and -. The following are reserved column names: Type, TenantId, resource, resourceid, resourcename, resourcetype, subscriptionid, tenanted.

Portal

To add a custom column to a table in your Log Analytics workspace, or delete a column:

1. From the Log Analytics workspaces menu, select Tables.

2. Select the ellipsis ( ... ) to the right of the table you want to edit and select Edit schema. This opens the Schema Editor screen.

3. Scroll down to the Custom Columns section of the Schema Editor screen.

   

4. To add a new column:

   1. Select Add a column.
   2. Set the column name and description (optional), and select the expected value type from the Type dropdown.
   3. Select Save to save the new column.

5. To delete a column, select the Delete icon to the left of the column you want to delete.

API

To add or delete a custom column, call the Tables - Create Or Update API.

CLI

To add or delete a custom column, run the az monitor log-analytics workspace table update command.

PowerShell

To add a new column to an Azure or custom table, run:

$tableParams = @'
{
    "properties": {
        "schema": {
            "name": "<TableName>",
            "columns": [
                {
                    "name": ""<ColumnName>",
                    "description": "First custom column",
                    "type": "string",
                    "isDefaultDisplay": true,
                    "isHidden": false
                }
            ]
        }
    }
}
'@

Invoke-AzRestMethod -Path "/subscriptions/{subscription}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspace}/tables/<TableName>?api-version=2021-12-01-preview" -Method PUT -payload $tableParams

The PUT call returns the updated table properties, which should include the newly added column.

Example

Run this command to add a custom column, called Custom1_CF, to the Azure Heartbeat table:

$tableParams = @'
{
    "properties": {
        "schema": {
            "name": "Heartbeat",
            "columns": [
                {
                    "name": "Custom1_CF",
                    "description": "The second custom column",
                    "type": "datetime",
                    "isDefaultDisplay": true,
                    "isHidden": false
                }
            ]
        }
    }
}
'@

Invoke-AzRestMethod -Path "/subscriptions/{subscription}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspace}/tables/Heartbeat?api-version=2021-12-01-preview" -Method PUT -payload $tableParams

Now, to delete the newly added column and add another one instead, run:

$tableParams = @'
{
    "properties": {
        "schema": {
            "name": "Heartbeat",
            "columns": [
                {
                    "name": "Custom2_CF",
                    "description": "The second custom column",
                    "type": "datetime",
                    "isDefaultDisplay": true,
                    "isHidden": false
                }
            ]
        }
    }
}
'@

Invoke-AzRestMethod -Path "/subscriptions/{subscription}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspace}/tables/Heartbeat?api-version=2021-12-01-preview" -Method PUT -payload $tableParams

To delete all custom columns in the table, run:

$tableParams = @'
{
    "properties": {
        "schema": {
            "name": "Heartbeat",
            "columns": [
            ]
        }
    }
}
'@

Invoke-AzRestMethod -Path "/subscriptions/{subscription}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspace}/tables/Heartbeat?api-version=2021-12-01-preview" -Method PUT -payload $tableParams

Next steps

Learn more about:

• Collecting logs with the Log Ingestion API
• Collecting logs with Azure Monitor Agent
• Data collection rules