Merge pull request #216868 from guywi-ms/manage-tables-new-toc

Log table management

Author: jborsecnik

articles/azure-monitor/agents/data-sources-custom-logs.md

@@ -147,25 +147,25 @@ The following section walks through an example of creating a custom log. The sam
 
 We provide one of the log files and can see the events that it will be collecting. In this case, **New line** is a sufficient delimiter. If a single entry in the log could span multiple lines though, a timestamp delimiter would need to be used.
 
-![Screenshot that shows uploading and parsing a sample log.](media/data-sources-custom-logs/delimiter.png)
+:::image type="content" source="media/data-sources-custom-logs/delimiter.png" alt-text="Screenshot that shows uploading and parsing a sample log.":::
 
 ### Add log collection paths
 
 The log files will be located in *C:\MyApp\Logs*. A new file will be created each day with a name that includes the date in the pattern *appYYYYMMDD.log*. A sufficient pattern for this log would be *C:\MyApp\Logs\\\*.log*.
 
-![Screenshot that shows adding a log collection path.](media/data-sources-custom-logs/collection-path.png)
+:::image type="content" source="media/data-sources-custom-logs/collection-path.png" alt-text="Screenshot that shows adding a log collection path.":::
 
 ### Provide a name and description for the log
 
 We use a name of *MyApp_CL* and type in a **Description**.
 
-![Screenshot that shows adding a log name.](media/data-sources-custom-logs/log-name.png)
+:::image type="content" source="media/data-sources-custom-logs/log-name.png" alt-text="Screenshot that shows adding a log name.":::
 
 ### Validate that the custom logs are being collected
 
 We use a simple query of *MyApp_CL* to return all records from the collected log.
 
-![Screenshot that shows a log query with no custom fields.](media/data-sources-custom-logs/query-01.png)
+:::image type="content" source="media/data-sources-custom-logs/query-01.png" alt-text="Screenshot that shows a log query with no custom fields.":::
 
 ## Alternatives to custom logs
 

articles/azure-monitor/agents/media/data-sources-custom-logs/collection-path.png

@@ -1,17 +1,38 @@
 ---
-title: Configure Basic Logs in Azure Monitor
-description: Learn how to configure a table for Basic Logs in Azure Monitor.
-ms.topic: conceptual
-ms.custom: event-tier1-build-2022
-ms.date: 10/01/2022
+title: Set a table's log data plan in Azure Monitor Logs
+description: Learn how to configure the table log data plan to optimize log ingestion and retention costs in Azure Monitor Logs.
+author: guywi-ms
+ms.author: guywild
+ms.reviewer: adi.biran
+ms.topic: how-to
+ms.date: 11/09/2022
 ---
 
-# Configure Basic Logs in Azure Monitor
+# Set a table's log data plan in Azure Monitor Logs
 
-Setting a table's [log data plan](log-analytics-workspace-overview.md#log-data-plans) to **Basic Logs** lets you save on the cost of storing high-volume verbose logs you use for debugging, troubleshooting, and auditing, but not for analytics and alerts. This article describes how to configure Basic Logs for a particular table in your Log Analytics workspace.
+Azure Monitor Logs offers two log data plans that let you reduce log ingestion and retention costs and take advantage of Azure Monitor's advanced features and analytics capabilities based on your needs: 
+
+- The default **Analytics** log data plan provides full analysis capabilities and makes log data available for queries, Azure Monitor features, such as alerts, and use by other services. 
+- The **Basic** log data plan lets you save on the cost of ingesting and storing high-volume verbose logs in your Log Analytics workspace for debugging, troubleshooting, and auditing, but not for analytics and alerts. 
+
+This article describes Azure Monitor's log data plans and explains how to configure the log data plan of the tables in your Log Analytics workspace.
 
 > [!IMPORTANT]
-> You can switch a table's plan once a week. The Basic Logs feature isn't available for workspaces in [legacy pricing tiers](cost-logs.md#legacy-pricing-tiers).
+> You can switch a table's plan once a week.<br/> The Basic Logs feature isn't available for workspaces in [legacy pricing tiers](cost-logs.md#legacy-pricing-tiers).
+
+## Compare the Basic and Analytics log data plans 
+
+The following table summarizes the two plans. 
+
+| Category | Analytics | Basic |
+|:---|:---|:---|
+| Ingestion | Cost for ingestion. | Reduced cost for ingestion. |
+| Log queries | No extra cost. Full query capabilities. | Extra cost.<br>[Subset of query capabilities](basic-logs-query.md#limitations). |
+| Retention |  Configure retention from 30 days to 730 days. | Retention fixed at eight days. |
+| Alerts | Supported. | Not supported. |
+
+> [!NOTE]
+> The Basic log data plan isn't available for workspaces in [legacy pricing tiers](cost-logs.md#legacy-pricing-tiers).
 
 ## Which tables support Basic Logs?
 
@@ -31,7 +52,7 @@ By default, all tables in your Log Analytics workspace are Analytics tables, and
 > [!NOTE]
 > Tables created with the [Data Collector API](data-collector-api.md) don't support Basic Logs.
 
-## Set table configuration
+## Set a table's log data plan
 
 # [Portal](#tab/portal-1)
 
@@ -143,11 +164,11 @@ For example:
 
 ---
 
-## Check table configuration
+## View a table's log data plan
 
 # [Portal](#tab/portal-2)
 
-To check table configuration in the Azure portal, you can open the table configuration screen, as described in [Set table configuration](#set-table-configuration).
+To check table configuration in the Azure portal, you can open the table configuration screen, as described in [Set table configuration](#set-a-tables-log-data-plan).
 
 Alternatively:
 
@@ -175,7 +196,7 @@ GET https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{
 |Name | Type | Description |
 | --- | --- | --- |
 |properties.plan | string  | The table plan. Either `Analytics` or `Basic`. |
-|properties.retentionInDays | integer  | The table's data retention in days. In `Basic Logs`, the value is 8 days, fixed. In `Analytics Logs`, the value is between 7 and 730 days.|
+|properties.retentionInDays | integer  | The table's data retention in days. In `Basic Logs`, the value is eight days, fixed. In `Analytics Logs`, the value is between 7 and 730 days.|
 |properties.totalRetentionInDays | integer  | The table's data retention that also includes the archive period.|
 |properties.archiveRetentionInDays|integer|The table's archive period (read-only, calculated).|
 |properties.lastPlanModifiedDate|String|Last time when the plan was set for this table. Null if no change was ever done from the default settings (read-only).
@@ -225,5 +246,6 @@ Basic Logs tables retain data for eight days. When you change an existing table'
 
 ## Next steps
 
-- [Learn more about the different log plans](log-analytics-workspace-overview.md#log-data-plans)
 - [Query data in Basic Logs](basic-logs-query.md)
+- [Set retention and archive policies](../logs/data-retention-archive.md)
+

articles/azure-monitor/agents/media/data-sources-custom-logs/delimiter.png

@@ -1,6 +1,9 @@
 ---
 title: Query data from Basic Logs in Azure Monitor 
 description: Create a log query using tables configured for Basic logs in Azure Monitor.
+author: guywi-ms
+ms.author: guywild
+ms.reviewer: adi.biran
 ms.topic: conceptual
 ms.date: 10/01/2022
 
@@ -9,7 +12,7 @@ ms.date: 10/01/2022
 # Query Basic Logs in Azure Monitor
 Basic Logs tables reduce the cost of ingesting high-volume verbose logs and let you query the data they store using a limited set of log queries. This article explains how to query data from Basic Logs tables. 
 
-For more information, see [Azure log data plans](log-analytics-workspace-overview.md#log-data-plans) and [Configure a table for Basic Logs](basic-logs-configure.md). 
+For more information, see [Set a table's log data plan](basic-logs-configure.md). 
 
 
 > [!NOTE]
@@ -95,6 +98,5 @@ For more information, see [Azure Monitor pricing](https://azure.microsoft.com/pr
 
 ## Next steps
 
-- [Learn more about Basic Logs and the different log plans.](log-analytics-workspace-overview.md#log-data-plans)
-- [Configure a table for Basic Logs.](basic-logs-configure.md)
-- [Use a search job to retrieve data from Basic Logs into Analytics Logs where it can be queries multiple times.](search-jobs.md)
+- [Learn more about the Basic Logs and Analytics log plans](basic-logs-configure.md).
+- [Use a search job to retrieve data from Basic Logs into Analytics Logs where it can be queries multiple times](search-jobs.md).

articles/azure-monitor/agents/media/data-sources-custom-logs/log-name.png

@@ -0,0 +1,192 @@
+---
+title: Add or delete tables and columns in Azure Monitor Logs
+description: Create a table with a custom schema to collect logs from any data source. 
+author: guywi-ms
+ms.author: guywild
+ms.reviewer: adi.biran
+ms.service: azure-monitor
+ms.topic: how-to 
+ms.date: 11/09/2022
+
+# Customer intent: As a Log Analytics workspace administrator, I want to create a table with a custom schema to store logs from an Azure or non-Azure data source.
+---
+
+# Add or delete tables and columns in Azure Monitor Logs
+
+[Data collection rules](../essentials/data-collection-rule-overview.md) let you [filter and transform log data](../essentials/data-collection-transformations.md) before sending the data to an [Azure table or a custom table](../logs/manage-logs-tables.md#table-type). This article explains how to create custom tables and add custom columns to tables in your Log Analytics workspace.  
+
+## Prerequisites
+
+To create a custom table, you need:
+
+- A Log Analytics workspace where you have at least [contributor rights](../logs/manage-access.md#azure-rbac).
+- A [data collection endpoint (DCE)](../essentials/data-collection-endpoint-overview.md).
+- A JSON file with the schema of your custom table in the following format:
+    ```json
+    [
+      {
+        "TimeGenerated": "supported_datetime_format",
+        "<column_name_1": "<column_name_1_value>",
+        "<column_name_2": "<column_name_2_value>"
+      }
+    ]
+    ``` 
+    
+    For information about the `TimeGenerated` format, see [supported datetime formats](/azure/data-explorer/kusto/query/scalar-data-types/datetime#supported-formats).
+## Create a custom table
+
+Azure tables have predefined schemas. To store log data in a different schema, use data collection rules to define how to collect, transform, and send the data to a custom table in your Log Analytics workspace.
+
+> [!NOTE]
+> For information about creating a custom table for logs you ingest with the deprecated Log Analytics agent, also known as MMA or OMS, see [Collect text logs with the Log Analytics agent](../agents/data-sources-custom-logs.md#define-a-custom-log).
+
+### [Portal](#tab/portal-1)
+
+To create a custom table in the Azure portal:
+
+1. From the **Log Analytics workspaces** menu, select **Tables**.  
+
+    :::image type="content" source="media/manage-logs-tables/azure-monitor-logs-table-configuration.png" alt-text="Screenshot that shows the Tables screen for a Log Analytics workspace." lightbox="media/manage-logs-tables/azure-monitor-logs-table-configuration.png":::
+
+1. Select **Create** and then **New custom log (DCR-based)**.
+
+    :::image type="content" source="media/tutorial-logs-ingestion-portal/new-custom-log.png" lightbox="media/tutorial-logs-ingestion-portal/new-custom-log.png" alt-text="Screenshot showing new DCR-based custom log.":::
+
+1. Specify a name and, optionally, a description for the table. You don't need to add the *_CL* suffix to the custom table's name - this is added automatically to the name you specify in the portal. 
+
+1. Select an existing data collection rule from the **Data collection rule** dropdown, or select **Create a new data collection rule** and specify the **Subscription**, **Resource group**, and **Name** for the new data collection rule. 
+
+    :::image type="content" source="media/tutorial-logs-ingestion-portal/new-data-collection-rule.png" lightbox="media/tutorial-logs-ingestion-portal/new-data-collection-rule.png" alt-text="Screenshot showing new data collection rule.":::
+
+4. Select a [data collection endpoint](../essentials/data-collection-endpoint-overview.md#create-data-collection-endpoint) and select **Next**.
+
+    :::image type="content" source="media/tutorial-logs-ingestion-portal/custom-log-table-name.png" lightbox="media/tutorial-logs-ingestion-portal/custom-log-table-name.png" alt-text="Screenshot showing custom log table name.":::
+
+1. Select **Browse for files** and locate the JSON file in which you defined the schema of your new table. 
+
+    :::image type="content" source="media/tutorial-logs-ingestion-portal/custom-log-browse-files.png" lightbox="media/tutorial-logs-ingestion-portal/custom-log-browse-files.png" alt-text="Screenshot showing custom log browse for files.":::
+
+    All log tables in Azure Monitor Logs must have a `TimeGenerated` column populated with the timestamp of the logged event. 
+
+1. If you want to [transform log data before ingestion](../essentials//data-collection-transformations.md) into your table: 
+
+    1. Select **Transformation editor**. 
+
+        The transformation editor lets you create a transformation for the incoming data stream. This is a KQL query that runs against each incoming record. Azure Monitor Logs stores the results of the query in the destination table. 
+    
+        :::image type="content" source="media/tutorial-logs-ingestion-portal/custom-log-data-preview.png" lightbox="media/tutorial-logs-ingestion-portal/custom-log-data-preview.png" alt-text="Screenshot showing custom log data preview.":::
+
+    1. Select **Run** to view the results. 
+    
+        :::image type="content" source="media/tutorial-logs-ingestion-portal/custom-log-query-01.png" lightbox="media/tutorial-logs-ingestion-portal/custom-log-query-01.png" alt-text="Screenshot showing initial custom log data query.":::
+
+1. Select **Apply** to save the transformation and view the schema of the table that's about to be created. Select **Next** to proceed.
+
+    :::image type="content" source="media/tutorial-logs-ingestion-portal/custom-log-final-schema.png" lightbox="media/tutorial-logs-ingestion-portal/custom-log-final-schema.png" alt-text="Screenshot showing custom log final schema.":::
+
+1. Verify the final details and select **Create** to save the custom log.
+
+    :::image type="content" source="media/tutorial-logs-ingestion-portal/custom-log-create.png" lightbox="media/tutorial-logs-ingestion-portal/custom-log-create.png" alt-text="Screenshot showing custom log create.":::
+
+### [PowerShell](#tab/powershell-1)
+
+Use the [Tables - Update PATCH API](/rest/api/loganalytics/tables/update) to create a custom table with the PowerShell code below. This code creates a table called *MyTable_CL* with two columns. Modify this schema to collect a different table. 
+
+> [!IMPORTANT]
+> Custom tables have a suffix of *_CL*; for example, *tablename_CL*. The *tablename_CL* in the DataFlows Streams must match the *tablename_CL* name in the Log Analytics workspace.
+
+1. Select the **Cloud Shell** button in the Azure portal and ensure the environment is set to **PowerShell**.
+
+    :::image type="content" source="../logs/media/tutorial-workspace-transformations-api/open-cloud-shell.png" lightbox="../logs/media/tutorial-workspace-transformations-api/open-cloud-shell.png" alt-text="Screenshot of opening Cloud Shell in the Azure portal.":::
+
+2. Copy the following PowerShell code and replace the **Path** parameter with the appropriate values for your workspace in the `Invoke-AzRestMethod` command. Paste it into the Cloud Shell prompt to run it. 
+
+    ```PowerShell
+    $tableParams = @'
+    {
+        "properties": {
+            "schema": {
+                "name": "MyTable_CL",
+                "columns": [
+                    {
+                        "name": "TimeGenerated",
+                        "type": "DateTime"
+                    }, 
+                    {
+                        "name": "RawData",
+                        "type": "String"
+                    }
+                ]
+            }
+        }
+    }
+    '@
+
+    Invoke-AzRestMethod -Path "/subscriptions/{subscription}/resourcegroups/{resourcegroup}/providers/microsoft.operationalinsights/workspaces/{workspace}/tables/MyTable_CL?api-version=2021-12-01-preview" -Method PUT -payload $tableParams
+    ```
+
+---
+
+## Delete a table
+
+You can delete any table in your Log Analytics workspace that's not an [Azure table](../logs/manage-logs-tables.md#table-type). 
+
+> [!NOTE]
+> Deleting a restored table doesn't delete the data in the source table.
+
+### [Portal](#tab/portal-2)
+
+To delete a table from the Azure portal:
+
+1. From the Log Analytics workspace menu, select **Tables**.
+1. Search for the tables you want to delete by name, or by selecting **Search results** in the **Type** field.
+    
+    :::image type="content" source="media/search-job/search-results-on-log-analytics-tables-screen.png" alt-text="Screenshot that shows the Tables screen for a Log Analytics workspace with the Filter by name and Type fields highlighted." lightbox="media/search-job/search-results-on-log-analytics-tables-screen.png":::
+
+1. Select the table you want to delete, select the ellipsis ( **...** ) to the right of the table, select **Delete**, and confirm the deletion by typing **yes**.
+
+    :::image type="content" source="media/search-job/delete-table.png" alt-text="Screenshot that shows the Delete Table screen for a table in a Log Analytics workspace." lightbox="media/search-job/delete-table.png":::
+    
+### [API](#tab/api-2)
+
+To delete a table, call the **Tables - Delete** API: 
+
+```http
+DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/tables/<TableName>_SRCH?api-version=2021-12-01-preview
+```
+
+### [CLI](#tab/cli-2)
+
+To delete a table, run the [az monitor log-analytics workspace table delete](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-delete) command.
+
+For example:
+
+```azurecli
+az monitor log-analytics workspace table delete --subscription ContosoSID --resource-group ContosoRG --workspace-name ContosoWorkspace --name HeartbeatByIp_SRCH
+```
+
+---
+## Add or delete a custom column
+
+To add a custom column to a table in your Log Analytics workspace, or delete a column:
+
+1. From the **Log Analytics workspaces** menu, select **Tables**.  
+1. Select the ellipsis ( **...** ) to the right of the table you want to edit and select **Edit schema**.
+    This opens the **Schema Editor** screen.
+1. Scroll down to the **Custom Columns** section of the **Schema Editor** screen.
+ 
+    :::image type="content" source="media/create-custom-table/add-or-delete-column-azure-monitor-logs.png" alt-text="Screenshot showing the Schema Editor screen with the Add a column and Delete buttons highlighted." lightbox="media/create-custom-table/add-or-delete-column-azure-monitor-logs.png":::
+
+1. To add a new column: 
+    1. Select **Add a column**.
+    1. Set the column name and description (optional), and select the expected value type from the **Type** dropdown.
+    1. Select **Save** to save the new column.
+1. To delete a column, select the **Delete** icon to the left of the column you want to delete.
+
+## Next steps
+
+Learn more about:
+
+- [Collecting logs with the Log Ingestion API](../logs/logs-ingestion-api-overview.md)
+- [Collecting logs with Azure Monitor Agent](../agents/agents-overview.md)
+- [Data collection rules](../essentials/data-collection-endpoint-overview.md)

articles/azure-monitor/logs/basic-logs-configure.md

@@ -1,7 +1,7 @@
 ---
-title: Configure data retention and archive in Azure Monitor Logs (preview)
+title: Configure data retention and archive in Azure Monitor Logs
 description: Configure archive settings for a table in a Log Analytics workspace in Azure Monitor.
-ms.reviewer: osalzberg
+ms.reviewer: adi.biran
 ms.topic: conceptual
 ms.date: 10/01/2022
 # Customer intent: As an Azure account administrator, I want to set data retention and archive policies to save retention costs.
@@ -241,4 +241,4 @@ The retention can also be [set programmatically with PowerShell](../app/powershe
 
 - [Learn more about Log Analytics workspaces and data retention and archive](log-analytics-workspace-overview.md)
 - [Create a search job to retrieve archive data matching particular criteria](search-jobs.md)
-- [Restore archive data within a particular time range](restore.md)
+- [Restore archive data within a particular time range](restore.md)