Manage tables in a Log Analytics workspace
A Log Analytics workspace lets you collect logs from Azure and non-Azure resources into one space for data analysis, use by other services, such as Sentinel, and to trigger alerts and actions, for example, using Azure Logic Apps. The Log Analytics workspace consists of tables, which you can configure to manage your data model and log-related costs. This article explains the table configuration options in Azure Monitor Logs and how to set table properties based on your data analysis and cost management needs.
You must have
microsoft.operationalinsights/workspaces/tables/write permissions to the Log Analytics workspaces you manage, as provided by the Log Analytics Contributor built-in role, for example.
This diagram provides an overview of the table configuration options in Azure Monitor Logs:
Table type and schema
A table's schema is the set of columns that make up the table, into which Azure Monitor Logs collects log data from one or more data sources.
Your Log Analytics workspace can contain the following types of tables:
|Table type||Data source||Schema|
|Azure table||Logs from Azure resources or required by Azure services and solutions.||Azure Monitor Logs creates Azure tables automatically based on Azure services you use and diagnostic settings you configure for specific resources. Each Azure table has a predefined schema. You can add columns to an Azure table to store transformed log data or enrich data in the Azure table with data from another source.|
|Custom table||Non-Azure resources and any other data source, such as file-based logs.||You can define a custom table's schema based on how you want to store data you collect from a given data source.|
|Search results||All data stored in a Log Analytics workspace.||The schema of a search results table is based on the query you define when you run the search job. You can't edit the schema of existing search results tables.|
|Restored logs||Archived logs.||A restored logs table has the same schema as the table from which you restore logs. You can't edit the schema of existing restored logs tables.|
Log data plan
Configure a table's log data plan based on how often you access the data in the table:
- The Analytics plan makes log data available for interactive queries and use by features and services.
- The Basic log data plan provides a low-cost way to ingest and retain logs for troubleshooting, debugging, auditing, and compliance.
Retention and archive
Archiving is a low-cost solution for keeping data that you no longer use regularly in your workspace for compliance or occasional investigation. Set table-level retention policies to override the default workspace retention policy and to archive data within your workspace.
Reduce costs and analysis effort by using data collection rules to filter out and transform data before ingestion based on the schema you define for your custom table.
View table properties
To view and set table properties in the Azure portal:
From your Log Analytics workspace, select Tables.
The Tables screen presents table configuration information for all tables in your Log Analytics workspace.
Select the ellipsis (...) to the right of a table to open the table management menu.
The available table management options vary based on the table type.
Select Manage table to edit the table properties.
Select Edit schema to view and edit the table schema.
Learn how to: