Add or delete tables and columns in Azure Monitor Logs

Data collection rules let you filter and transform log data before sending the data to an Azure table or a custom table. This article explains how to create custom tables and add custom columns to tables in your Log Analytics workspace.

Prerequisites

To create a custom table, you need:

  • A Log Analytics workspace where you have at least contributor rights.

  • A data collection endpoint (DCE).

  • A JSON file with the schema of your custom table in the following format:

    [
      {
        "TimeGenerated": "supported_datetime_format",
        "<column_name_1>": "<column_name_1_value>",
        "<column_name_2>": "<column_name_2_value>"
      }
    ]
    

    For information about the TimeGenerated format, see supported datetime formats.

Create a custom table

Azure tables have predefined schemas. To store log data in a different schema, use data collection rules to define how to collect, transform, and send the data to a custom table in your Log Analytics workspace.

Note

For information about creating a custom table for logs you ingest with the deprecated Log Analytics agent, also known as MMA or OMS, see Collect text logs with the Log Analytics agent.

To create a custom table in the Azure portal:

  1. From the Log Analytics workspaces menu, select Tables.

    Screenshot that shows the Tables screen for a Log Analytics workspace.

  2. Select Create and then New custom log (DCR-based).

    Screenshot showing new DCR-based custom log.

  3. Specify a name and, optionally, a description for the table. You don't need to add the _CL suffix to the custom table's name - this is added automatically to the name you specify in the portal.

  4. Select an existing data collection rule from the Data collection rule dropdown, or select Create a new data collection rule and specify the Subscription, Resource group, and Name for the new data collection rule.

    Screenshot showing new data collection rule.

  5. Select a data collection endpoint and select Next.

    Screenshot showing custom log table name.

  6. Select Browse for files and locate the JSON file in which you defined the schema of your new table.

    Screenshot showing custom log browse for files.

    All log tables in Azure Monitor Logs must have a TimeGenerated column populated with the timestamp of the logged event.

  7. If you want to transform log data before ingestion into your table:

    1. Select Transformation editor.

      The transformation editor lets you create a transformation for the incoming data stream. This is a KQL query that runs against each incoming record. Azure Monitor Logs stores the results of the query in the destination table.

      Screenshot showing custom log data preview.

    2. Select Run to view the results.

      Screenshot showing initial custom log data query.

  8. Select Apply to save the transformation and view the schema of the table that's about to be created. Select Next to proceed.

    Screenshot showing custom log final schema.

  9. Verify the final details and select Create to save the custom log.

    Screenshot showing custom log create.

Delete a table

You can delete any table in your Log Analytics workspace that's not an Azure table.

Note

Deleting a restored table doesn't delete the data in the source table.

To delete a table from the Azure portal:

  1. From the Log Analytics workspace menu, select Tables.

  2. Search for the tables you want to delete by name, or by selecting Search results in the Type field.

    Screenshot that shows the Tables screen for a Log Analytics workspace with the Filter by name and Type fields highlighted.

  3. Select the table you want to delete, select the ellipsis ( ... ) to the right of the table, select Delete, and confirm the deletion by typing yes.

    Screenshot that shows the Delete Table screen for a table in a Log Analytics workspace.

Add or delete a custom column

You can modify the schema of custom tables and add custom columns to, or delete columns from, a standard table.

Note

Column names must start with a letter and can consist of up to 45 alphanumeric characters and the characters _ and -. The following are reserved column names: Type, TenantId, resource, resourceid, resourcename, resourcetype, subscriptionid, tenanted.

To add a custom column to a table in your Log Analytics workspace, or delete a column:

  1. From the Log Analytics workspaces menu, select Tables.

  2. Select the ellipsis ( ... ) to the right of the table you want to edit and select Edit schema. This opens the Schema Editor screen.

  3. Scroll down to the Custom Columns section of the Schema Editor screen.

    Screenshot showing the Schema Editor screen with the Add a column and Delete buttons highlighted.

  4. To add a new column:

    1. Select Add a column.
    2. Set the column name and description (optional), and select the expected value type from the Type dropdown.
    3. Select Save to save the new column.
  5. To delete a column, select the Delete icon to the left of the column you want to delete.

Next steps

Learn more about: