You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> The agent based JSON custom file ingestion is currently in preview and does not have a complete UI experience in the portal yet. While you can create the DCR using the portal, you must modify it to define the columns in the incoming stream. See the **Resource Manager template** tab for details on creating the required DCR.
109
+
> The agent based JSON custom file ingestion is currently in preview and does not have a complete UI experience in the portal yet. While you can create the DCR using the portal, you must modify it to define the columns in the incoming stream. This section includes details on creating the DCR using an ARM template.
110
110
111
-
### Incoming stream
112
-
JSON files include a property name with each value, and the incoming stream in the DCR needs to include a column matching the name of each property. If you create the DCR using the Azure portal, the columns in the following table will be included in the incoming stream, and you must manually modify the DCR or create it using another method where you can explicitly define the incoming stream.
111
+
### Incoming stream schema
112
+
113
+
JSON files include a property name with each value, and the incoming stream in the DCR needs to include a column matching the name of each property. The following table describes optional columns that you can include in addition to the columns defining the data in your log file.
113
114
114
115
| Column | Type | Description |
115
116
|:---|:---|:---|
116
-
|`TimeGenerated`| datetime | The time the record was generated. |
117
-
|`RawData`| string | This column will be empty for a JSON log. |
117
+
|`TimeGenerated`| datetime | The time the record was generated. This value will be automatically populated with the time the record is added to the Log Analytics workspace if it's not included in the incoming stream. |
118
118
|`FilePath`| string | If you add this column to the incoming stream in the DCR, it will be populated with the path to the log file. This column is not created automatically and can't be added using the portal. You must manually modify the DCR created by the portal or create the DCR using another method where you can explicitly define the incoming stream. |
119
-
|`Computer`| string | If you add this column to the incoming stream in the DCR, it will be populated with the name of the computer. This column is not created automatically and can't be added using the portal. You must manually modify the DCR created by the portal or create the DCR using another method where you can explicitly define the incoming stream. |
120
119
121
-
### [Portal](#tab/portal)
120
+
Use the following ARM template to create a DCR for collecting text log files. You may need to modify the following values in the template itself:
121
+
122
+
-`columns`: Modify with the list of columns in the JSON log that you're collecting.
123
+
-`transformKql`: Modify the default transformation if the schema of the incoming stream doesn't match the schema of the target table. The output schema of the [transformation](../essentials/data-collection-transformations.md) must match the schema of the target table.
122
124
123
-
Create a data collection rule, as described in [Collect data with Azure Monitor Agent](./azure-monitor-agent-data-collection.md). In the **Collect and deliver** step, select **JSON Logs** from the **Data source type** dropdown.
125
+
The following table describes the parameters.
124
126
125
127
| Setting | Description |
126
128
|:---|:---|
127
-
| File pattern | Identifies the location and name of log files on the local disk. Use a wildcard for filenames that vary, for example when a new file is created each day with a new name. You can enter multiple file patterns separated by commas.<br><br>Examples:<br>- C:\Logs\MyLog.json<br>- C:\Logs\MyLog*.json<br>- C:\App01\AppLog.json, C:\App02\AppLog.json<br>- /var/mylog.json<br>- /var/mylog*.json |
129
+
| Data collection rule name | Unique name for the DCR. |
130
+
| Location | Region for the DCR. Must be the same location as the Log Analytics workspace. |
131
+
| File patterns | Identifies the location and name of log files on the local disk. Use a wildcard for filenames that vary, for example when a new file is created each day with a new name. You can enter multiple file patterns separated by commas (AMA version 1.26 or higher required for multiple file patterns on Linux).<br><br>Examples:<br>- C:\Logs\MyLog.json<br>- C:\Logs\MyLog*.json<br>- C:\App01\AppLog.json, C:\App02\AppLog.json<br>- /var/mylog.json<br>- /var/mylog*.json |
128
132
| Table name | Name of the destination table in your Log Analytics Workspace. |
129
-
| Record delimiter | Not currently used but reserved for future potential use allowing delimiters other than the currently supported end of line (`/r/n`). |
130
-
| Transform |[Ingestion-time transformation](../essentials/data-collection-transformations.md) to filter records or to format the incoming data for the destination table. Use `source` to leave the incoming data unchanged. |
131
-
132
-
133
-
134
-
### [Resource Manager template](#tab/arm)
135
-
136
-
Use the following ARM template to create a DCR for collecting text log files. In addition to the parameter values, you may need to modify the following values in the template:
137
-
138
-
-`columns`: Modify with the list of columns in the JSON log that you're collecting.
139
-
-`transformKql`: Modify the default transformation if the schema of the incoming stream doesn't match the schema of the target table. The output schema of the transformation must match the schema of the target table.
133
+
| Workspace resource ID | Resource ID of the Log Analytics workspace with the target table. |
140
134
141
135
> [!IMPORTANT]
142
-
> If you create the DCR using an ARM template, you still must associate the DCR with the agents that will use it. You can edit the DCR in the Azure portal and select the agents as described in [Add resources](./azure-monitor-agent-data-collection.md#add-resources)
143
-
136
+
> When you create the DCR using an ARM template, you still must associate the DCR with the agents that will use it. You can edit the DCR in the Azure portal and select the agents as described in [Add resources](./azure-monitor-agent-data-collection.md#add-resources)
"description": "Region for the DCR. Must be the same location as the Log Analytics workspace. "
152
+
"description": "Region for the DCR. Must be the same location as the Log Analytics workspace. "
153
+
}
160
154
},
161
155
"filePatterns": {
162
-
"type": "string",
156
+
"type": "String",
163
157
"metadata": {
164
-
"description": "Path on the local disk for the log file to collect. May include wildcards.Enter multiple file patterns separated by commas (AMA version 1.26 or higher required for multiple file patterns on Linux)."
165
-
},
158
+
"description": "Path on the local disk for the log file to collect. May include wildcards.Enter multiple file patterns separated by commas (AMA version 1.26 or higher required for multiple file patterns on Linux)."
159
+
}
166
160
},
167
161
"tableName": {
168
-
"type": "string",
162
+
"type": "String",
169
163
"metadata": {
170
-
"description": "Name of destination table in your Log Analytics workspace. "
171
-
},
164
+
"description": "Name of destination table in your Log Analytics workspace. "
165
+
}
172
166
},
173
167
"workspaceResourceId": {
174
-
"type": "string",
168
+
"type": "String",
169
+
"metadata": {
170
+
"description": "Resource ID of the Log Analytics workspace with the target table."
171
+
}
172
+
},
173
+
"dataCollectionEndpointResourceId": {
174
+
"type": "String",
175
175
"metadata": {
176
-
"description": "Resource ID of the Log Analytics workspace with the target table."
177
-
},
176
+
"description": "Resource ID of the Data Collection Endpoint to be used with this rule."
0 commit comments