Manage tables in a Log Analytics workspace

A Log Analytics workspace lets you collect logs from Azure and non-Azure resources into one space for data analysis, use by other services, such as Sentinel, and to trigger alerts and actions, for example, using Azure Logic Apps. The Log Analytics workspace consists of tables, which you can configure to manage your data model and log-related costs. This article explains the table configuration options in Azure Monitor Logs and how to set table properties based on your data analysis and cost management needs.

Permissions required

You must have microsoft.operationalinsights/workspaces/tables/write permissions to the Log Analytics workspaces you manage, as provided by the Log Analytics Contributor built-in role, for example.

Table properties

This diagram provides an overview of the table configuration options in Azure Monitor Logs:

Diagram that shows table configuration options, including table type, table schema, table plan, and retention and archive.

Table type and schema

A table's schema is the set of columns that make up the table, into which Azure Monitor Logs collects log data from one or more data sources.

Your Log Analytics workspace can contain the following types of tables:

Table type Data source Schema
Azure table Logs from Azure resources or required by Azure services and solutions. Azure Monitor Logs creates Azure tables automatically based on Azure services you use and diagnostic settings you configure for specific resources. Each Azure table has a predefined schema. You can add columns to an Azure table to store transformed log data or enrich data in the Azure table with data from another source.
Custom table Non-Azure resources and any other data source, such as file-based logs. You can define a custom table's schema based on how you want to store data you collect from a given data source.
Search results All data stored in a Log Analytics workspace. The schema of a search results table is based on the query you define when you run the search job. You can't edit the schema of existing search results tables.
Restored logs Archived logs. A restored logs table has the same schema as the table from which you restore logs. You can't edit the schema of existing restored logs tables.

Log data plan

Configure a table's log data plan based on how often you access the data in the table:

  • The Analytics plan makes log data available for interactive queries and use by features and services.
  • The Basic log data plan provides a low-cost way to ingest and retain logs for troubleshooting, debugging, auditing, and compliance.

Retention and archive

Archiving is a low-cost solution for keeping data that you no longer use regularly in your workspace for compliance or occasional investigation. Set table-level retention to override the default workspace retention and to archive data within your workspace.

To access archived data, run a search job or restore data for a specific time range.

Ingestion-time transformations

Reduce costs and analysis effort by using data collection rules to filter out and transform data before ingestion based on the schema you define for your custom table.

View table properties

Note

The table name is case sensitive.

To view and set table properties in the Azure portal:

  1. From your Log Analytics workspace, select Tables.

    The Tables screen presents table configuration information for all tables in your Log Analytics workspace.

    Screenshot that shows the Tables screen for a Log Analytics workspace.

  2. Select the ellipsis (...) to the right of a table to open the table management menu.

    The available table management options vary based on the table type.

    1. Select Manage table to edit the table properties.

    2. Select Edit schema to view and edit the table schema.

Next steps

Learn how to: