|
| 1 | +--- |
| 2 | +title: | |
| 3 | + Tutorial: Add a transformation for workspace data |
| 4 | +titleSuffix: Azure Cosmos DB |
| 5 | +description: In this tutorial, add a custom transformation to data flowing through Azure Monitor Logs from Azure Cosmos DB by using the Azure portal. |
| 6 | +author: StefArroyo |
| 7 | +ms.author: esarroyo |
| 8 | +ms.reviewer: sidandrews |
| 9 | +ms.service: cosmos-db |
| 10 | +ms.topic: tutorial |
| 11 | +ms.date: 03/22/2023 |
| 12 | +--- |
| 13 | + |
| 14 | +# Tutorial: Add a transformation for Azure Cosmos DB workspace data by using the Azure portal |
| 15 | + |
| 16 | +This tutorial walks you through configuration of a sample [transformation in a workspace data collection rule (DCR)](../azure-monitor/essentials/data-collection-transformations.md) by using the Azure portal. |
| 17 | + |
| 18 | +> [!NOTE] |
| 19 | +> To help improve costs for enabling Log Analytics, we now support adding Data Collection Rules and transformations on your Log Analytics resources to filter out columns, reduce number of results returned, and create new columns before the data is sent to the destination. |
| 20 | +
|
| 21 | +Workspace transformations are stored together in a single [DCR](../azure-monitor/essentials/data-collection-rule-overview.md) for the workspace, which is called the workspace DCR. Each transformation is associated with a particular table. The transformation is applied to all data sent to this table from any workflow not using a DCR. |
| 22 | + |
| 23 | +> [!NOTE] |
| 24 | +> This tutorial uses the Azure portal to configure a workspace transformation. For the same tutorial using Azure Resource Manager templates and REST API, see [Tutorial: Add transformation in workspace data collection rule to Azure Monitor using resource manager templates](../azure-monitor/logs/tutorial-workspace-transformations-api.md). |
| 25 | +
|
| 26 | +In this tutorial, you learn how to: |
| 27 | + |
| 28 | +> [!div class="checklist"] |
| 29 | +> |
| 30 | +> - Configure a [workspace transformation](../azure-monitor/essentials/data-collection-transformations.md#workspace-transformation-dcr) for a table in a Log Analytics workspace. |
| 31 | +> - Write a log query for a workspace transformation. |
| 32 | +> |
| 33 | +
|
| 34 | +## Prerequisites |
| 35 | + |
| 36 | +To complete this tutorial, you need: |
| 37 | + |
| 38 | +- A Log Analytics workspace where you have at least [contributor rights](../azure-monitor/logs/manage-access.md#azure-rbac). |
| 39 | +- [Permissions to create DCR objects](../azure-monitor/essentials/data-collection-rule-overview.md#permissions) in the workspace. |
| 40 | +- A table that already has some data. |
| 41 | +- The table can't be linked to the [workspace transformation DCR](../azure-monitor/essentials/data-collection-transformations.md#workspace-transformation-dcr). |
| 42 | + |
| 43 | +## Overview of the tutorial |
| 44 | + |
| 45 | +In this tutorial, you reduce the storage requirement for the `CDBDataPlaneRequests` table by filtering out certain records. You also remove the contents of a column while parsing the column data to store a piece of data in a custom column. The [CDBDataPlaneRequests table](monitor-resource-logs.md) is created when you enable [log analytics](monitor-resource-logs.md) in a workspace. |
| 46 | + |
| 47 | +This tutorial uses the Azure portal, which provides a wizard to walk you through the process of creating an ingestion-time transformation. After you finish the steps, you'll see that the wizard: |
| 48 | + |
| 49 | +- Updates the table schema with any other columns from the query. |
| 50 | +- Creates a `WorkspaceTransformation` DCR and links it to the workspace if a default DCR isn't already linked to the workspace. |
| 51 | +- Creates an ingestion-time transformation and adds it to the DCR. |
| 52 | + |
| 53 | +## Enable query audit logs |
| 54 | + |
| 55 | +You need to enable [log analytics](monitor-resource-logs.md) for your workspace to create the `CDBDataPlaneRequests` table that you're working with. This step isn't required for all ingestion time transformations. It's just to generate the sample data that we're working with. |
| 56 | + |
| 57 | +## Add a transformation to the table |
| 58 | + |
| 59 | +Now that the table's created, you can create the transformation for it. |
| 60 | + |
| 61 | +1. On the **Log Analytics workspaces** menu in the Azure portal, select **Tables**. Locate the `CDBDataPlaneRequests` table and select **Create transformation**. |
| 62 | + |
| 63 | + :::image type="content" source="media/tutorial-log-transformation/create-transformation.png" lightbox="media/tutorial-log-transformation/create-transformation.png" alt-text="Screenshot that shows creating a new transformation."::: |
| 64 | + |
| 65 | +1. Because this transformation is the first one in the workspace, you must create a [workspace transformation DCR](../azure-monitor/essentials/data-collection-transformations.md#workspace-transformation-dcr). If you create transformations for other tables in the same workspace, they're stored in this same DCR. Select **Create a new data collection rule**. The **Subscription** and **Resource group** are already populated for the workspace. Enter a name for the DCR and select **Done**. |
| 66 | + |
| 67 | +1. Select **Next** to view sample data from the table. As you define the transformation, the result is applied to the sample data. For this reason, you can evaluate the results before you apply it to actual data. Select **Transformation editor** to define the transformation. |
| 68 | + |
| 69 | + :::image type="content" source="media/tutorial-log-transformation/transformation-query-results.png" lightbox="media/tutorial-log-transformation/transformation-query-results.png" alt-text="Screenshot that shows sample data from the log table."::: |
| 70 | + |
| 71 | +1. In the transformation editor, you can see the transformation that is applied to the data prior to its ingestion into the table. A virtual table named `source` represents the incoming data, which has the same set of columns as the destination table itself. The transformation initially contains a simple query that returns the `source` table with no changes. |
| 72 | + |
| 73 | +1. Modify the query to the following example: |
| 74 | + |
| 75 | + ``` kusto |
| 76 | + source |
| 77 | + | where StatusCode != 200 // searching for requests that are not successful |
| 78 | + | project-away Type, TenantId |
| 79 | + ``` |
| 80 | +
|
| 81 | + The modification makes the following changes: |
| 82 | +
|
| 83 | + - Rows related to querying the `CDBDataPlaneRequests` table itself were dropped to save space because these log entries aren't useful. |
| 84 | + - Data from the `TenantId` and `Type` columns were removed to save space. |
| 85 | + - Transformations also support adding columns using the `extend` operator in your query. |
| 86 | +
|
| 87 | + > [!Note] |
| 88 | + > Using the Azure portal, the output of the transformation will initiate changes to the table schema if required. Columns will be added to match the transformation output if they don't already exist. Make sure that your output doesn't contain any columns that you don't want added to the table. If the output doesn't include columns that are already in the table, those columns won't be removed, but data won't be added. |
| 89 | + > |
| 90 | + > Any custom columns added to a built-in table must end in `_CF`. Columns added to a custom table don't need to have this suffix. A custom table has a name that ends in `_CL`. |
| 91 | +
|
| 92 | +1. Copy the query into the transformation editor and select **Run** to view results from the sample data. You can verify that the new `Workspace_CF` column is in the query. |
| 93 | +
|
| 94 | + :::image type="content" source="media/tutorial-log-transformation/select-transformation-editor.png" lightbox="media/tutorial-log-transformation/select-transformation-editor.png" alt-text="Screenshot that shows the transformation editor."::: |
| 95 | +
|
| 96 | +1. Select **Apply** to save the transformation and then select **Next** to review the configuration. Select **Create** to update the DCR with the new transformation. |
| 97 | +
|
| 98 | + :::image type="content" source="media/tutorial-log-transformation/transformation-configuration-created.png" lightbox="media/tutorial-log-transformation/transformation-configuration-created.png" alt-text="Screenshot that shows saving the transformation."::: |
| 99 | +
|
| 100 | +## Test the transformation |
| 101 | +
|
| 102 | +Allow about 30 minutes for the transformation to take effect and then test it by running a query against the table. This transformation affects only data sent to the table after the transformation was applied. |
| 103 | +
|
| 104 | +For this tutorial, run some sample queries to send data to the `CDBDataPlaneRequests` table. Include some queries against `CDBDataPlaneRequests` so that you can verify that the transformation filters these records. |
| 105 | +
|
| 106 | +## Troubleshooting |
| 107 | +
|
| 108 | +This section describes different error conditions you might receive and how to correct them. |
| 109 | +
|
| 110 | +### IntelliSense in Log Analytics not recognizing new columns in the table |
| 111 | +
|
| 112 | +The cache that drives IntelliSense might take up to 24 hours to update. |
| 113 | +
|
| 114 | +### Transformation on a dynamic column isn't working |
| 115 | +
|
| 116 | +A known issue currently affects dynamic columns. A temporary workaround is to explicitly parse dynamic column data by using `parse_json()` prior to performing any operations against them. |
| 117 | +
|
| 118 | +## Next steps |
| 119 | +
|
| 120 | +> [!div class="nextstepaction"] |
| 121 | +> [Data collection transformations](../azure-monitor/essentials/data-collection-transformations.md) |
0 commit comments