Compartilhar via


Data Collection Rules - Create

Creates or updates a data collection rule.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Insights/dataCollectionRules/{dataCollectionRuleName}?api-version=2023-03-11

URI Parameters

Name In Required Type Description
dataCollectionRuleName
path True

string

The name of the data collection rule. The name is case insensitive.

resourceGroupName
path True

string

The name of the resource group. The name is case insensitive.

subscriptionId
path True

string

The ID of the target subscription.

api-version
query True

string

The API version to use for this operation.

Request Body

Name Required Type Description
location True

string

The geo-location where the resource lives.

identity

Identity

Managed service identity of the resource.

kind

KnownDataCollectionRuleResourceKind

The kind of the resource.

properties.agentSettings

AgentSettings

Agent settings used to modify agent behavior on a given host

properties.dataCollectionEndpointId

string

The resource ID of the data collection endpoint that this rule can be used with.

properties.dataFlows

DataFlow[]

The specification of data flows.

properties.dataSources

DataSources

The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint.

properties.description

string

Description of the data collection rule.

properties.destinations

Destinations

The specification of destinations.

properties.references

References

Defines all the references that may be used in other sections of the DCR

properties.streamDeclarations

<string,  StreamDeclaration>

Declaration of custom streams used in this rule.

tags

object

Resource tags.

Responses

Name Type Description
200 OK

DataCollectionRuleResource

Data collection rule was successfully updated

201 Created

DataCollectionRuleResource

Data collection rule was successfully created

Other Status Codes

ErrorResponseCommonV2

Error

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name Description
user_impersonation impersonate your user account

Examples

Create or update an agent settings configuration
Create or update data collection rule
Create or update data collection rule with embedded ingestion endpoints
Create or update data collection rule with enrichment

Create or update an agent settings configuration

Sample request

PUT https://management.azure.com/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule?api-version=2023-03-11

{
  "location": "eastus",
  "kind": "AgentSettings",
  "properties": {
    "description": "An agent settings configuration",
    "agentSettings": {
      "logs": [
        {
          "name": "MaxDiskQuotaInMB",
          "value": "5000"
        },
        {
          "name": "UseTimeReceivedForForwardedEvents",
          "value": "1"
        }
      ]
    }
  }
}

Sample response

{
  "id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
  "name": "myCollectionRule",
  "type": "Microsoft.Insights/dataCollectionRules",
  "location": "eastus",
  "kind": "AgentSettings",
  "properties": {
    "description": "An agent settings configuration",
    "immutableId": "dcr-76ce901eee3a400b9945b1e263a70000",
    "agentSettings": {
      "logs": [
        {
          "name": "MaxDiskQuotaInMB",
          "value": "5000"
        },
        {
          "name": "UseTimeReceivedForForwardedEvents",
          "value": "1"
        }
      ]
    },
    "provisioningState": "Succeeded"
  },
  "systemData": {
    "createdBy": "user1",
    "createdByType": "User",
    "createdAt": "2024-03-26T05:41:40.7885407Z",
    "lastModifiedBy": "user1",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2024-03-26T05:41:40.7885407Z"
  },
  "etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
{
  "id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
  "name": "myCollectionRule",
  "type": "Microsoft.Insights/dataCollectionRules",
  "location": "eastus",
  "kind": "AgentSettings",
  "properties": {
    "description": "An agent settings configuration",
    "immutableId": "dcr-76ce901eee3a400b9945b1e263a70000",
    "agentSettings": {
      "logs": [
        {
          "name": "MaxDiskQuotaInMB",
          "value": "5000"
        },
        {
          "name": "UseTimeReceivedForForwardedEvents",
          "value": "1"
        }
      ]
    },
    "provisioningState": "Succeeded"
  },
  "systemData": {
    "createdBy": "user1",
    "createdByType": "User",
    "createdAt": "2024-03-26T05:41:40.7885407Z",
    "lastModifiedBy": "user1",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2024-03-26T05:41:40.7885407Z"
  },
  "etag": "070057da-0000-0000-0000-5ba70d6c0000"
}

Create or update data collection rule

Sample request

PUT https://management.azure.com/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule?api-version=2023-03-11

{
  "location": "eastus",
  "properties": {
    "dataSources": {
      "performanceCounters": [
        {
          "name": "cloudTeamCoreCounters",
          "streams": [
            "Microsoft-Perf"
          ],
          "samplingFrequencyInSeconds": 15,
          "counterSpecifiers": [
            "\\Processor(_Total)\\% Processor Time",
            "\\Memory\\Committed Bytes",
            "\\LogicalDisk(_Total)\\Free Megabytes",
            "\\PhysicalDisk(_Total)\\Avg. Disk Queue Length"
          ]
        },
        {
          "name": "appTeamExtraCounters",
          "streams": [
            "Microsoft-Perf"
          ],
          "samplingFrequencyInSeconds": 30,
          "counterSpecifiers": [
            "\\Process(_Total)\\Thread Count"
          ]
        }
      ],
      "windowsEventLogs": [
        {
          "name": "cloudSecurityTeamEvents",
          "streams": [
            "Microsoft-WindowsEvent"
          ],
          "xPathQueries": [
            "Security!"
          ]
        },
        {
          "name": "appTeam1AppEvents",
          "streams": [
            "Microsoft-WindowsEvent"
          ],
          "xPathQueries": [
            "System![System[(Level = 1 or Level = 2 or Level = 3)]]",
            "Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"
          ]
        }
      ],
      "syslog": [
        {
          "name": "cronSyslog",
          "streams": [
            "Microsoft-Syslog"
          ],
          "facilityNames": [
            "cron"
          ],
          "logLevels": [
            "Debug",
            "Critical",
            "Emergency"
          ]
        },
        {
          "name": "syslogBase",
          "streams": [
            "Microsoft-Syslog"
          ],
          "facilityNames": [
            "syslog"
          ],
          "logLevels": [
            "Alert",
            "Critical",
            "Emergency"
          ]
        }
      ]
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
          "name": "centralWorkspace"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Microsoft-Perf",
          "Microsoft-Syslog",
          "Microsoft-WindowsEvent"
        ],
        "destinations": [
          "centralWorkspace"
        ]
      }
    ]
  }
}

Sample response

{
  "id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
  "name": "myCollectionRule",
  "type": "Microsoft.Insights/dataCollectionRules",
  "location": "eastus",
  "tags": {
    "tag1": "A",
    "tag2": "B"
  },
  "properties": {
    "immutableId": "dcr-b74e0d383fc9415abaa584ec41adece3",
    "dataSources": {
      "performanceCounters": [
        {
          "name": "cloudTeamCoreCounters",
          "streams": [
            "Microsoft-Perf"
          ],
          "samplingFrequencyInSeconds": 15,
          "counterSpecifiers": [
            "\\Processor(_Total)\\% Processor Time",
            "\\Memory\\Committed Bytes",
            "\\LogicalDisk(_Total)\\Free Megabytes",
            "\\PhysicalDisk(_Total)\\Avg. Disk Queue Length"
          ]
        },
        {
          "name": "appTeamExtraCounters",
          "streams": [
            "Microsoft-Perf"
          ],
          "samplingFrequencyInSeconds": 30,
          "counterSpecifiers": [
            "\\Process(_Total)\\Thread Count"
          ]
        }
      ],
      "windowsEventLogs": [
        {
          "name": "cloudSecurityTeamEvents",
          "streams": [
            "Microsoft-WindowsEvent"
          ],
          "xPathQueries": [
            "Security!"
          ]
        },
        {
          "name": "appTeam1AppEvents",
          "streams": [
            "Microsoft-WindowsEvent"
          ],
          "xPathQueries": [
            "System![System[(Level = 1 or Level = 2 or Level = 3)]]",
            "Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"
          ]
        }
      ],
      "syslog": [
        {
          "name": "cronSyslog",
          "streams": [
            "Microsoft-Syslog"
          ],
          "facilityNames": [
            "cron"
          ],
          "logLevels": [
            "Debug",
            "Critical",
            "Emergency"
          ]
        },
        {
          "name": "syslogBase",
          "streams": [
            "Microsoft-Syslog"
          ],
          "facilityNames": [
            "syslog"
          ],
          "logLevels": [
            "Alert",
            "Critical",
            "Emergency"
          ]
        }
      ]
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
          "workspaceId": "9ba8bc53-bd36-4156-8667-e983e7ae0e4f",
          "name": "centralWorkspace"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Microsoft-Perf",
          "Microsoft-Syslog",
          "Microsoft-WindowsEvent"
        ],
        "destinations": [
          "centralWorkspace"
        ]
      }
    ]
  },
  "systemData": {
    "createdBy": "user1",
    "createdByType": "User",
    "createdAt": "2021-04-01T12:34:56.1234567Z",
    "lastModifiedBy": "user2",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-04-02T12:34:56.1234567Z"
  },
  "etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
{
  "id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
  "name": "myCollectionRule",
  "type": "Microsoft.Insights/dataCollectionRules",
  "location": "eastus",
  "tags": {
    "tag1": "A",
    "tag2": "B"
  },
  "properties": {
    "immutableId": "dcr-b74e0d383fc9415abaa584ec41adece3",
    "dataSources": {
      "performanceCounters": [
        {
          "name": "cloudTeamCoreCounters",
          "streams": [
            "Microsoft-Perf"
          ],
          "samplingFrequencyInSeconds": 15,
          "counterSpecifiers": [
            "\\Processor(_Total)\\% Processor Time",
            "\\Memory\\Committed Bytes",
            "\\LogicalDisk(_Total)\\Free Megabytes",
            "\\PhysicalDisk(_Total)\\Avg. Disk Queue Length"
          ]
        },
        {
          "name": "appTeamExtraCounters",
          "streams": [
            "Microsoft-Perf"
          ],
          "samplingFrequencyInSeconds": 30,
          "counterSpecifiers": [
            "\\Process(_Total)\\Thread Count"
          ]
        }
      ],
      "windowsEventLogs": [
        {
          "name": "cloudSecurityTeamEvents",
          "streams": [
            "Microsoft-WindowsEvent"
          ],
          "xPathQueries": [
            "Security!"
          ]
        },
        {
          "name": "appTeam1AppEvents",
          "streams": [
            "Microsoft-WindowsEvent"
          ],
          "xPathQueries": [
            "System![System[(Level = 1 or Level = 2 or Level = 3)]]",
            "Application!*[System[(Level = 1 or Level = 2 or Level = 3)]]"
          ]
        }
      ],
      "syslog": [
        {
          "name": "cronSyslog",
          "streams": [
            "Microsoft-Syslog"
          ],
          "facilityNames": [
            "cron"
          ],
          "logLevels": [
            "Debug",
            "Critical",
            "Emergency"
          ]
        },
        {
          "name": "syslogBase",
          "streams": [
            "Microsoft-Syslog"
          ],
          "facilityNames": [
            "syslog"
          ],
          "logLevels": [
            "Alert",
            "Critical",
            "Emergency"
          ]
        }
      ]
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
          "workspaceId": "9ba8bc53-bd36-4156-8667-e983e7ae0e4f",
          "name": "centralWorkspace"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Microsoft-Perf",
          "Microsoft-Syslog",
          "Microsoft-WindowsEvent"
        ],
        "destinations": [
          "centralWorkspace"
        ]
      }
    ]
  },
  "systemData": {
    "createdBy": "user1",
    "createdByType": "User",
    "createdAt": "2021-04-01T12:34:56.1234567Z",
    "lastModifiedBy": "user2",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2021-04-02T12:34:56.1234567Z"
  },
  "etag": "070057da-0000-0000-0000-5ba70d6c0000"
}

Create or update data collection rule with embedded ingestion endpoints

Sample request

PUT https://management.azure.com/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule?api-version=2023-03-11

{
  "location": "eastus",
  "kind": " Direct",
  "properties": {
    "description": "A Direct Ingestion Rule with builtin ingestion fqdns",
    "streamDeclarations": {
      "Custom-LOGS1_CL": {
        "columns": [
          {
            "name": "Time",
            "type": "datetime"
          },
          {
            "name": "Computer",
            "type": "string"
          },
          {
            "name": "AdditionalContext",
            "type": "string"
          },
          {
            "name": "CounterName",
            "type": "string"
          },
          {
            "name": "CounterValue",
            "type": "real"
          }
        ]
      }
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
          "name": "centralWorkspace"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Custom-LOGS1_CL"
        ],
        "destinations": [
          "myworkspace"
        ],
        "transformKql": "source | extend jsonContext = parse_json(AdditionalContext) | project TimeGenerated = Time, Computer, AdditionalContext = jsonContext, CounterName=tostring(jsonContext.CounterName), CounterValue=toreal(jsonContext.CounterValue)",
        "outputStream": "Custom-LOGS1_CL"
      }
    ]
  }
}

Sample response

{
  "id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
  "name": "myCollectionRule",
  "type": "Microsoft.Insights/dataCollectionRules",
  "location": "eastus",
  "kind": "Direct",
  "properties": {
    "description": "A Direct Ingestion Rule with builtin ingestion fqdns",
    "immutableId": "dcr-d2a09c11a66243009af059a655750000",
    "endpoints": {
      "logsIngestion": "https://mycollectionrule-8ykm-eastus2euap.logs.z1.canary.ingest.monitor.azure.com",
      "metricsIngestion": "https://mycollectionrule-jcvc-eastus2euap.metrics.z1.canary.ingest.monitor.azure.com"
    },
    "streamDeclarations": {
      "Custom-LOGS1_CL": {
        "columns": [
          {
            "name": "Time",
            "type": "datetime"
          },
          {
            "name": "Computer",
            "type": "string"
          },
          {
            "name": "AdditionalContext",
            "type": "string"
          },
          {
            "name": "CounterName",
            "type": "string"
          },
          {
            "name": "CounterValue",
            "type": "real"
          }
        ]
      }
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
          "name": "centralWorkspace"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Custom-LOGS1_CL"
        ],
        "destinations": [
          "myworkspace"
        ],
        "transformKql": "source | extend jsonContext = parse_json(AdditionalContext) | project TimeGenerated = Time, Computer, AdditionalContext = jsonContext, CounterName=tostring(jsonContext.CounterName), CounterValue=toreal(jsonContext.CounterValue)",
        "outputStream": "Custom-LOGS1_CL"
      }
    ],
    "provisioningState": "Succeeded"
  },
  "systemData": {
    "createdBy": "user1",
    "createdByType": "User",
    "createdAt": "2024-01-30T17:50:40.5383301Z",
    "lastModifiedBy": "user1",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2024-01-30T17:50:40.5383301Z"
  },
  "etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
{
  "id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
  "name": "myCollectionRule",
  "type": "Microsoft.Insights/dataCollectionRules",
  "location": "eastus",
  "kind": "Direct",
  "properties": {
    "description": "A Direct Ingestion Rule with builtin ingestion fqdns",
    "immutableId": "dcr-d2a09c11a66243009af059a655750000",
    "endpoints": {
      "logsIngestion": "https://mycollectionrule-8ykm-eastus2euap.logs.z1.canary.ingest.monitor.azure.com",
      "metricsIngestion": "https://mycollectionrule-jcvc-eastus2euap.metrics.z1.canary.ingest.monitor.azure.com"
    },
    "streamDeclarations": {
      "Custom-LOGS1_CL": {
        "columns": [
          {
            "name": "Time",
            "type": "datetime"
          },
          {
            "name": "Computer",
            "type": "string"
          },
          {
            "name": "AdditionalContext",
            "type": "string"
          },
          {
            "name": "CounterName",
            "type": "string"
          },
          {
            "name": "CounterValue",
            "type": "real"
          }
        ]
      }
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
          "name": "centralWorkspace"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Custom-LOGS1_CL"
        ],
        "destinations": [
          "myworkspace"
        ],
        "transformKql": "source | extend jsonContext = parse_json(AdditionalContext) | project TimeGenerated = Time, Computer, AdditionalContext = jsonContext, CounterName=tostring(jsonContext.CounterName), CounterValue=toreal(jsonContext.CounterValue)",
        "outputStream": "Custom-LOGS1_CL"
      }
    ],
    "provisioningState": "Succeeded"
  },
  "systemData": {
    "createdBy": "user1",
    "createdByType": "User",
    "createdAt": "2024-01-30T17:50:40.5383301Z",
    "lastModifiedBy": "user1",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2024-01-30T17:50:40.5383301Z"
  },
  "etag": "070057da-0000-0000-0000-5ba70d6c0000"
}

Create or update data collection rule with enrichment

Sample request

PUT https://management.azure.com/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule?api-version=2023-03-11

{
  "location": "eastus",
  "properties": {
    "description": "A rule showcasing ingestion time enrichment",
    "dataCollectionEndpointId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionEndpoints/myDataCollectionEndpoint",
    "references": {
      "enrichmentData": {
        "storageBlobs": [
          {
            "resourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourcegroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myenrichmentstorage",
            "blobUrl": "https://myenrichmentstorage.blob.core.windows.net/enrichment",
            "lookupType": "String",
            "name": "mytextdatastore"
          }
        ]
      }
    },
    "streamDeclarations": {
      "Custom-TabularDataABC": {
        "columns": [
          {
            "name": "TimeGenerated",
            "type": "datetime"
          },
          {
            "name": "Message",
            "type": "string"
          },
          {
            "name": "AdditionalContext",
            "type": "string"
          }
        ]
      }
    },
    "dataSources": {
      "logFiles": [
        {
          "streams": [
            "Custom-TabularDataABC"
          ],
          "filePatterns": [
            "C:\\JavaLogs\\*\\*.log"
          ],
          "format": "text",
          "settings": {
            "text": {
              "recordStartTimestampFormat": "ISO 8601"
            }
          },
          "name": "myTabularLogDataSource"
        }
      ]
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
          "name": "centralWorkspace"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Custom-TabularDataABC"
        ],
        "destinations": [
          "centralWorkspace"
        ],
        "transformKql": "source | extend LookupData = lookup_string_am('mytextdatastore', Message) | project TimeGenerated, Message, AdditionalContext = LookupData.Message",
        "outputStream": "Custom-LOGS1_CL"
      }
    ]
  }
}

Sample response

{
  "id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
  "name": "myCollectionRule",
  "type": "Microsoft.Insights/dataCollectionRules",
  "location": "eastus",
  "properties": {
    "description": "A rule showcasing ingestion time enrichment",
    "immutableId": "dcr-ad96300ff0734d08a6a7195eb2be0000",
    "dataCollectionEndpointId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionEndpoints/myDataCollectionEndpoint",
    "references": {
      "enrichmentData": {
        "storageBlobs": [
          {
            "resourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourcegroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myenrichmentstorage",
            "blobUrl": "https://myenrichmentstorage.blob.core.windows.net/enrichment",
            "lookupType": "String",
            "name": "mytextdatastore"
          }
        ]
      }
    },
    "streamDeclarations": {
      "Custom-TabularDataABC": {
        "columns": [
          {
            "name": "TimeGenerated",
            "type": "datetime"
          },
          {
            "name": "Message",
            "type": "string"
          },
          {
            "name": "AdditionalContext",
            "type": "string"
          }
        ]
      }
    },
    "dataSources": {
      "logFiles": [
        {
          "streams": [
            "Custom-TabularDataABC"
          ],
          "filePatterns": [
            "C:\\JavaLogs\\*\\*.log"
          ],
          "format": "text",
          "settings": {
            "text": {
              "recordStartTimestampFormat": "ISO 8601"
            }
          },
          "name": "myTabularLogDataSource"
        }
      ]
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
          "workspaceId": "9ba8bc53-bd36-4156-8667-e983e7ae0e4f",
          "name": "centralWorkspace"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Custom-TabularDataABC"
        ],
        "destinations": [
          "centralWorkspace"
        ],
        "transformKql": "source | extend LookupData = lookup_string_am('mytextdatastore', Message) | project TimeGenerated, Message, AdditionalContext = LookupData.Message",
        "outputStream": "Custom-LOGS1_CL"
      }
    ],
    "provisioningState": "Succeeded"
  },
  "systemData": {
    "createdBy": "user1",
    "createdByType": "User",
    "createdAt": "2024-01-30T17:50:40.5383301Z",
    "lastModifiedBy": "user1",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2024-01-30T17:50:40.5383301Z"
  },
  "etag": "070057da-0000-0000-0000-5ba70d6c0000"
}
{
  "id": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionRules/myCollectionRule",
  "name": "myCollectionRule",
  "type": "Microsoft.Insights/dataCollectionRules",
  "location": "eastus",
  "properties": {
    "description": "A rule showcasing ingestion time enrichment",
    "immutableId": "dcr-ad96300ff0734d08a6a7195eb2be0000",
    "dataCollectionEndpointId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.Insights/dataCollectionEndpoints/myDataCollectionEndpoint",
    "references": {
      "enrichmentData": {
        "storageBlobs": [
          {
            "resourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourcegroups/myResourceGroup/providers/Microsoft.Storage/storageAccounts/myenrichmentstorage",
            "blobUrl": "https://myenrichmentstorage.blob.core.windows.net/enrichment",
            "lookupType": "String",
            "name": "mytextdatastore"
          }
        ]
      }
    },
    "streamDeclarations": {
      "Custom-TabularDataABC": {
        "columns": [
          {
            "name": "TimeGenerated",
            "type": "datetime"
          },
          {
            "name": "Message",
            "type": "string"
          },
          {
            "name": "AdditionalContext",
            "type": "string"
          }
        ]
      }
    },
    "dataSources": {
      "logFiles": [
        {
          "streams": [
            "Custom-TabularDataABC"
          ],
          "filePatterns": [
            "C:\\JavaLogs\\*\\*.log"
          ],
          "format": "text",
          "settings": {
            "text": {
              "recordStartTimestampFormat": "ISO 8601"
            }
          },
          "name": "myTabularLogDataSource"
        }
      ]
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/703362b3-f278-4e4b-9179-c76eaf41ffc2/resourceGroups/myResourceGroup/providers/Microsoft.OperationalInsights/workspaces/centralTeamWorkspace",
          "workspaceId": "9ba8bc53-bd36-4156-8667-e983e7ae0e4f",
          "name": "centralWorkspace"
        }
      ]
    },
    "dataFlows": [
      {
        "streams": [
          "Custom-TabularDataABC"
        ],
        "destinations": [
          "centralWorkspace"
        ],
        "transformKql": "source | extend LookupData = lookup_string_am('mytextdatastore', Message) | project TimeGenerated, Message, AdditionalContext = LookupData.Message",
        "outputStream": "Custom-LOGS1_CL"
      }
    ],
    "provisioningState": "Succeeded"
  },
  "systemData": {
    "createdBy": "user1",
    "createdByType": "User",
    "createdAt": "2024-01-30T17:50:40.5383301Z",
    "lastModifiedBy": "user1",
    "lastModifiedByType": "User",
    "lastModifiedAt": "2024-01-30T17:50:40.5383301Z"
  },
  "etag": "070057da-0000-0000-0000-5ba70d6c0000"
}

Definitions

Name Description
AdxDestination

Azure Data Explorer (Adx) destination.

AgentSetting

A setting used to control an agent behavior on a host machine

AgentSettings

Agent settings used to modify agent behavior on a given host

AzureMonitorMetrics

Azure Monitor Metrics destination.

ColumnDefinition

Definition of custom data column.

createdByType

The type of identity that created the resource.

DataCollectionRuleResource

Definition of ARM tracked top level resource.

DataFlow

Definition of which streams are sent to which destinations.

DataImports

Specifications of pull based data sources

DataSources

The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint.

Destinations

The specification of destinations.

Endpoints

Defines the ingestion endpoints to send data to via this rule.

EnrichmentData

All the enrichment data sources referenced in data flows

ErrorAdditionalInfo

The resource management error additional info.

ErrorDetail

The error detail.

ErrorResponseCommonV2

Error response

EventHub

Definition of Event Hub configuration.

EventHubDestination
EventHubDirectDestination
ExtensionDataSource

Definition of which data will be collected from a separate VM extension that integrates with the Azure Monitor Agent. Collected from either Windows and Linux machines, depending on which extension is defined.

Identity

Managed service identity of the resource.

IisLogsDataSource

Enables IIS logs to be collected by this data collection rule.

KnownAgentSettingName

The name of the setting. Must be part of the list of supported settings

KnownColumnDefinitionType

The type of the column data.

KnownDataCollectionRuleProvisioningState

The resource provisioning state.

KnownDataCollectionRuleResourceKind

The kind of the resource.

KnownDataFlowStreams

List of streams for this data flow.

KnownExtensionDataSourceStreams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

KnownLogFilesDataSourceFormat

The data format of the log files

KnownLogFileTextSettingsRecordStartTimestampFormat

One of the supported timestamp formats

KnownPerfCounterDataSourceStreams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

KnownPrometheusForwarderDataSourceStreams

List of streams that this data source will be sent to.

KnownStorageBlobLookupType

The type of lookup to perform on the blob

KnownSyslogDataSourceFacilityNames

The list of facility names.

KnownSyslogDataSourceLogLevels

The log levels to collect.

KnownSyslogDataSourceStreams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

KnownWindowsEventLogDataSourceStreams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

KnownWindowsFirewallLogsDataSourceProfileFilter

Firewall logs profile filter

LogAnalyticsDestination

Log Analytics destination.

LogFilesDataSource

Definition of which custom log files will be collected by this data collection rule

ManagedServiceIdentityType

Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).

Metadata

Metadata about the resource

MicrosoftFabricDestination

Microsoft Fabric destination (non-Azure).

MonitoringAccountDestination

Monitoring account destination.

PerfCounterDataSource

Definition of which performance counters will be collected and how they will be collected by this data collection rule. Collected from both Windows and Linux machines where the counter is present.

PlatformTelemetryDataSource

Definition of platform telemetry data source configuration

PrometheusForwarderDataSource

Definition of Prometheus metrics forwarding configuration.

References

Defines all the references that may be used in other sections of the DCR

Settings

The log files specific settings.

StorageBlob
StorageBlobDestination
StorageTableDestination
StreamDeclaration

Declaration of a custom stream.

SyslogDataSource

Definition of which syslog data will be collected and how it will be collected. Only collected from Linux machines.

SystemData

Metadata pertaining to creation and last modification of the resource.

Text

Text settings

UserAssignedIdentity

User assigned identity properties

WindowsEventLogDataSource

Definition of which Windows Event Log events will be collected and how they will be collected. Only collected from Windows machines.

WindowsFirewallLogsDataSource

Enables Firewall logs to be collected by this data collection rule.

AdxDestination

Azure Data Explorer (Adx) destination.

Name Type Description
databaseName

string

The name of the database to which data will be ingested.

ingestionUri

string

The ingestion uri of the Adx resource.

name

string

A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule.

resourceId

string

The ARM resource id of the Adx resource.

AgentSetting

A setting used to control an agent behavior on a host machine

Name Type Description
name

KnownAgentSettingName

The name of the setting. Must be part of the list of supported settings

value

string

The value of the setting

AgentSettings

Agent settings used to modify agent behavior on a given host

Name Type Description
logs

AgentSetting[]

All the settings that are applicable to the logs agent (AMA)

AzureMonitorMetrics

Azure Monitor Metrics destination.

Name Type Description
name

string

A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule.

ColumnDefinition

Definition of custom data column.

Name Type Description
name

string

The name of the column.

type

KnownColumnDefinitionType

The type of the column data.

createdByType

The type of identity that created the resource.

Name Type Description
Application

string

Key

string

ManagedIdentity

string

User

string

DataCollectionRuleResource

Definition of ARM tracked top level resource.

Name Type Description
etag

string

Resource entity tag (ETag).

id

string

Fully qualified ID of the resource.

identity

Identity

Managed service identity of the resource.

kind

KnownDataCollectionRuleResourceKind

The kind of the resource.

location

string

The geo-location where the resource lives.

name

string

The name of the resource.

properties.agentSettings

AgentSettings

Agent settings used to modify agent behavior on a given host

properties.dataCollectionEndpointId

string

The resource ID of the data collection endpoint that this rule can be used with.

properties.dataFlows

DataFlow[]

The specification of data flows.

properties.dataSources

DataSources

The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint.

properties.description

string

Description of the data collection rule.

properties.destinations

Destinations

The specification of destinations.

properties.endpoints

Endpoints

Defines the ingestion endpoints to send data to via this rule.

properties.immutableId

string

The immutable ID of this data collection rule. This property is READ-ONLY.

properties.metadata

Metadata

Metadata about the resource

properties.provisioningState

KnownDataCollectionRuleProvisioningState

The resource provisioning state.

properties.references

References

Defines all the references that may be used in other sections of the DCR

properties.streamDeclarations

<string,  StreamDeclaration>

Declaration of custom streams used in this rule.

systemData

SystemData

Metadata pertaining to creation and last modification of the resource.

tags

object

Resource tags.

type

string

The type of the resource.

DataFlow

Definition of which streams are sent to which destinations.

Name Type Description
builtInTransform

string

The builtIn transform to transform stream data

captureOverflow

boolean

Flag to enable overflow column in LA destinations

destinations

string[]

List of destinations for this data flow.

outputStream

string

The output stream of the transform. Only required if the transform changes data to a different stream.

streams

KnownDataFlowStreams[]

List of streams for this data flow.

transformKql

string

The KQL query to transform stream data.

DataImports

Specifications of pull based data sources

Name Type Description
eventHub

EventHub

Definition of Event Hub configuration.

DataSources

The specification of data sources. This property is optional and can be omitted if the rule is meant to be used via direct calls to the provisioned endpoint.

Name Type Description
dataImports

DataImports

Specifications of pull based data sources

extensions

ExtensionDataSource[]

The list of Azure VM extension data source configurations.

iisLogs

IisLogsDataSource[]

The list of IIS logs source configurations.

logFiles

LogFilesDataSource[]

The list of Log files source configurations.

performanceCounters

PerfCounterDataSource[]

The list of performance counter data source configurations.

platformTelemetry

PlatformTelemetryDataSource[]

The list of platform telemetry configurations

prometheusForwarder

PrometheusForwarderDataSource[]

The list of Prometheus forwarder data source configurations.

syslog

SyslogDataSource[]

The list of Syslog data source configurations.

windowsEventLogs

WindowsEventLogDataSource[]

The list of Windows Event Log data source configurations.

windowsFirewallLogs

WindowsFirewallLogsDataSource[]

The list of Windows Firewall logs source configurations.

Destinations

The specification of destinations.

Name Type Description
azureDataExplorer

AdxDestination[]

List of Azure Data Explorer destinations.

azureMonitorMetrics

AzureMonitorMetrics

Azure Monitor Metrics destination.

eventHubs

EventHubDestination[]

List of Event Hubs destinations.

eventHubsDirect

EventHubDirectDestination[]

List of Event Hubs Direct destinations.

logAnalytics

LogAnalyticsDestination[]

List of Log Analytics destinations.

microsoftFabric

MicrosoftFabricDestination[]

List of Microsoft Fabric destinations.

monitoringAccounts

MonitoringAccountDestination[]

List of monitoring account destinations.

storageAccounts

StorageBlobDestination[]

List of storage accounts destinations.

storageBlobsDirect

StorageBlobDestination[]

List of Storage Blob Direct destinations. To be used only for sending data directly to store from the agent.

storageTablesDirect

StorageTableDestination[]

List of Storage Table Direct destinations.

Endpoints

Defines the ingestion endpoints to send data to via this rule.

Name Type Description
logsIngestion

string

The ingestion endpoint for logs

metricsIngestion

string

The ingestion endpoint for metrics

EnrichmentData

All the enrichment data sources referenced in data flows

Name Type Description
storageBlobs

StorageBlob[]

All the storage blobs used as enrichment data sources

ErrorAdditionalInfo

The resource management error additional info.

Name Type Description
info

object

The additional info.

type

string

The additional info type.

ErrorDetail

The error detail.

Name Type Description
additionalInfo

ErrorAdditionalInfo[]

The error additional info.

code

string

The error code.

details

ErrorDetail[]

The error details.

message

string

The error message.

target

string

The error target.

ErrorResponseCommonV2

Error response

Name Type Description
error

ErrorDetail

The error object.

EventHub

Definition of Event Hub configuration.

Name Type Description
consumerGroup

string

Event Hub consumer group name

name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

stream

string

The stream to collect from EventHub

EventHubDestination

Name Type Description
eventHubResourceId

string

The resource ID of the event hub.

name

string

A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule.

EventHubDirectDestination

Name Type Description
eventHubResourceId

string

The resource ID of the event hub.

name

string

A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule.

ExtensionDataSource

Definition of which data will be collected from a separate VM extension that integrates with the Azure Monitor Agent. Collected from either Windows and Linux machines, depending on which extension is defined.

Name Type Description
extensionName

string

The name of the VM extension.

extensionSettings

object

The extension settings. The format is specific for particular extension.

inputDataSources

string[]

The list of data sources this extension needs data from.

name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

streams

KnownExtensionDataSourceStreams[]

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

Identity

Managed service identity of the resource.

Name Type Description
principalId

string

The service principal ID of the system assigned identity. This property will only be provided for a system assigned identity.

tenantId

string

The tenant ID of the system assigned identity. This property will only be provided for a system assigned identity.

type

ManagedServiceIdentityType

Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).

userAssignedIdentities

<string,  UserAssignedIdentity>

User-Assigned Identities
The set of user assigned identities associated with the resource. The userAssignedIdentities dictionary keys will be ARM resource ids in the form: '/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ManagedIdentity/userAssignedIdentities/{identityName}. The dictionary values can be empty objects ({}) in requests.

IisLogsDataSource

Enables IIS logs to be collected by this data collection rule.

Name Type Description
logDirectories

string[]

Absolute paths file location

name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

streams

string[]

IIS streams

transformKql

string

The KQL query to transform the data source.

KnownAgentSettingName

The name of the setting. Must be part of the list of supported settings

Name Type Description
MaxDiskQuotaInMB

string

UseTimeReceivedForForwardedEvents

string

KnownColumnDefinitionType

The type of the column data.

Name Type Description
boolean

string

datetime

string

dynamic

string

int

string

long

string

real

string

string

string

KnownDataCollectionRuleProvisioningState

The resource provisioning state.

Name Type Description
Canceled

string

Creating

string

Deleting

string

Failed

string

Succeeded

string

Updating

string

KnownDataCollectionRuleResourceKind

The kind of the resource.

Name Type Description
Linux

string

Windows

string

KnownDataFlowStreams

List of streams for this data flow.

Name Type Description
Microsoft-Event

string

Microsoft-InsightsMetrics

string

Microsoft-Perf

string

Microsoft-Syslog

string

Microsoft-WindowsEvent

string

KnownExtensionDataSourceStreams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

Name Type Description
Microsoft-Event

string

Microsoft-InsightsMetrics

string

Microsoft-Perf

string

Microsoft-Syslog

string

Microsoft-WindowsEvent

string

KnownLogFilesDataSourceFormat

The data format of the log files

Name Type Description
json

string

text

string

KnownLogFileTextSettingsRecordStartTimestampFormat

One of the supported timestamp formats

Name Type Description
ISO 8601

string

M/D/YYYY HH:MM:SS AM/PM

string

MMM d hh:mm:ss

string

Mon DD, YYYY HH:MM:SS

string

YYYY-MM-DD HH:MM:SS

string

dd/MMM/yyyy:HH:mm:ss zzz

string

ddMMyy HH:mm:ss

string

yyMMdd HH:mm:ss

string

yyyy-MM-ddTHH:mm:ssK

string

KnownPerfCounterDataSourceStreams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

Name Type Description
Microsoft-InsightsMetrics

string

Microsoft-Perf

string

KnownPrometheusForwarderDataSourceStreams

List of streams that this data source will be sent to.

Name Type Description
Microsoft-PrometheusMetrics

string

KnownStorageBlobLookupType

The type of lookup to perform on the blob

Name Type Description
Cidr

string

String

string

KnownSyslogDataSourceFacilityNames

The list of facility names.

Name Type Description
*

string

alert

string

audit

string

auth

string

authpriv

string

clock

string

cron

string

daemon

string

ftp

string

kern

string

local0

string

local1

string

local2

string

local3

string

local4

string

local5

string

local6

string

local7

string

lpr

string

mail

string

mark

string

news

string

nopri

string

ntp

string

syslog

string

user

string

uucp

string

KnownSyslogDataSourceLogLevels

The log levels to collect.

Name Type Description
*

string

Alert

string

Critical

string

Debug

string

Emergency

string

Error

string

Info

string

Notice

string

Warning

string

KnownSyslogDataSourceStreams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

Name Type Description
Microsoft-Syslog

string

KnownWindowsEventLogDataSourceStreams

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

Name Type Description
Microsoft-Event

string

Microsoft-WindowsEvent

string

KnownWindowsFirewallLogsDataSourceProfileFilter

Firewall logs profile filter

Name Type Description
Domain

string

Private

string

Public

string

LogAnalyticsDestination

Log Analytics destination.

Name Type Description
name

string

A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule.

workspaceId

string

The Customer ID of the Log Analytics workspace.

workspaceResourceId

string

The resource ID of the Log Analytics workspace.

LogFilesDataSource

Definition of which custom log files will be collected by this data collection rule

Name Type Description
filePatterns

string[]

File Patterns where the log files are located

format

KnownLogFilesDataSourceFormat

The data format of the log files

name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

settings

Settings

The log files specific settings.

streams

string[]

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data source

transformKql

string

The KQL query to transform the data source.

ManagedServiceIdentityType

Type of managed service identity (where both SystemAssigned and UserAssigned types are allowed).

Name Type Description
None

string

SystemAssigned

string

SystemAssigned,UserAssigned

string

UserAssigned

string

Metadata

Metadata about the resource

Name Type Description
provisionedBy

string

Azure offering managing this resource on-behalf-of customer.

provisionedByImmutableId

string

Immutable Id of azure offering managing this resource on-behalf-of customer.

provisionedByResourceId

string

Resource Id of azure offering managing this resource on-behalf-of customer.

MicrosoftFabricDestination

Microsoft Fabric destination (non-Azure).

Name Type Description
artifactId

string

The artifact id of the Microsoft Fabric resource.

databaseName

string

The name of the database to which data will be ingested.

ingestionUri

string

The ingestion uri of the Microsoft Fabric resource.

name

string

A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule.

tenantId

string

The tenant id of the Microsoft Fabric resource.

MonitoringAccountDestination

Monitoring account destination.

Name Type Description
accountId

string

The immutable ID of the account.

accountResourceId

string

The resource ID of the monitoring account.

name

string

A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule.

PerfCounterDataSource

Definition of which performance counters will be collected and how they will be collected by this data collection rule. Collected from both Windows and Linux machines where the counter is present.

Name Type Description
counterSpecifiers

string[]

A list of specifier names of the performance counters you want to collect. Use a wildcard (*) to collect a counter for all instances. To get a list of performance counters on Windows, run the command 'typeperf'.

name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

samplingFrequencyInSeconds

integer

The number of seconds between consecutive counter measurements (samples).

streams

KnownPerfCounterDataSourceStreams[]

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

transformKql

string

The KQL query to transform the data source.

PlatformTelemetryDataSource

Definition of platform telemetry data source configuration

Name Type Description
name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

streams

string[]

List of platform telemetry streams to collect

PrometheusForwarderDataSource

Definition of Prometheus metrics forwarding configuration.

Name Type Description
labelIncludeFilter

object

The list of label inclusion filters in the form of label "name-value" pairs. Currently only one label is supported: 'microsoft_metrics_include_label'. Label values are matched case-insensitively.

name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

streams

KnownPrometheusForwarderDataSourceStreams[]

List of streams that this data source will be sent to.

References

Defines all the references that may be used in other sections of the DCR

Name Type Description
enrichmentData

EnrichmentData

All the enrichment data sources referenced in data flows

Settings

The log files specific settings.

Name Type Description
text

Text

Text settings

StorageBlob

Name Type Description
blobUrl

string

Url of the storage blob

lookupType

KnownStorageBlobLookupType

The type of lookup to perform on the blob

name

string

The name of the enrichment data source used as an alias when referencing this data source in data flows

resourceId

string

Resource Id of the storage account that hosts the blob

StorageBlobDestination

Name Type Description
containerName

string

The container name of the Storage Blob.

name

string

A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule.

storageAccountResourceId

string

The resource ID of the storage account.

StorageTableDestination

Name Type Description
name

string

A friendly name for the destination. This name should be unique across all destinations (regardless of type) within the data collection rule.

storageAccountResourceId

string

The resource ID of the storage account.

tableName

string

The name of the Storage Table.

StreamDeclaration

Declaration of a custom stream.

Name Type Description
columns

ColumnDefinition[]

List of columns used by data in this stream.

SyslogDataSource

Definition of which syslog data will be collected and how it will be collected. Only collected from Linux machines.

Name Type Description
facilityNames

KnownSyslogDataSourceFacilityNames[]

The list of facility names.

logLevels

KnownSyslogDataSourceLogLevels[]

The log levels to collect.

name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

streams

KnownSyslogDataSourceStreams[]

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

transformKql

string

The KQL query to transform the data source.

SystemData

Metadata pertaining to creation and last modification of the resource.

Name Type Description
createdAt

string

The timestamp of resource creation (UTC).

createdBy

string

The identity that created the resource.

createdByType

createdByType

The type of identity that created the resource.

lastModifiedAt

string

The timestamp of resource last modification (UTC)

lastModifiedBy

string

The identity that last modified the resource.

lastModifiedByType

createdByType

The type of identity that last modified the resource.

Text

Text settings

Name Type Description
recordStartTimestampFormat

KnownLogFileTextSettingsRecordStartTimestampFormat

One of the supported timestamp formats

UserAssignedIdentity

User assigned identity properties

Name Type Description
clientId

string

The client ID of the assigned identity.

principalId

string

The principal ID of the assigned identity.

WindowsEventLogDataSource

Definition of which Windows Event Log events will be collected and how they will be collected. Only collected from Windows machines.

Name Type Description
name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

streams

KnownWindowsEventLogDataSourceStreams[]

List of streams that this data source will be sent to. A stream indicates what schema will be used for this data and usually what table in Log Analytics the data will be sent to.

transformKql

string

The KQL query to transform the data source.

xPathQueries

string[]

A list of Windows Event Log queries in XPATH format.

WindowsFirewallLogsDataSource

Enables Firewall logs to be collected by this data collection rule.

Name Type Description
name

string

A friendly name for the data source. This name should be unique across all data sources (regardless of type) within the data collection rule.

profileFilter

KnownWindowsFirewallLogsDataSourceProfileFilter[]

Firewall logs profile filter

streams

string[]

Firewall logs streams