|
| 1 | +--- |
| 2 | +title: Configure data retention for a table in Microsoft Sentinel and Azure Monitor |
| 3 | +description: Set a retention policy for a table in a Log Analytics workspace. |
| 4 | +author: cwatson-cat |
| 5 | +ms.author: cwatson |
| 6 | +ms.service: microsoft-sentinel |
| 7 | +ms.topic: tutorial |
| 8 | +ms.date: 09/02/2-22 |
| 9 | +ms.custom: template-tutorial |
| 10 | +--- |
| 11 | + |
| 12 | +# Tutorial: Configure a data retention policy for a table in a Log Analytics workspace |
| 13 | + |
| 14 | +<!-- 2. Introductory paragraph |
| 15 | +Required. Lead with a light intro that describes, in customer-friendly language, |
| 16 | +what the customer will learn, or do, or accomplish. Answer the fundamental “why |
| 17 | +would I want to do this?” question. Keep it short. |
| 18 | +--> |
| 19 | + |
| 20 | +[Add your introductory paragraph] |
| 21 | + |
| 22 | +<!-- 3. Tutorial outline |
| 23 | +Required. Use the format provided in the list below. |
| 24 | +--> |
| 25 | + |
| 26 | +In this tutorial, you learn how to: |
| 27 | + |
| 28 | +> [!div class="checklist"] |
| 29 | +> * Set the retention policy for a table |
| 30 | +
|
| 31 | + |
| 32 | +<!-- 4. Prerequisites |
| 33 | +Required. First prerequisite is a link to a free trial account if one exists. If there |
| 34 | +are no prerequisites, state that no prerequisites are needed for this tutorial. |
| 35 | +--> |
| 36 | + |
| 37 | +## Prerequisites |
| 38 | + |
| 39 | +- <!-- An Azure account with an active subscription. [Create an account for free] |
| 40 | + (https://azure.microsoft.com/free/?WT.mc_id=A261C142F). --> |
| 41 | +- <!-- prerequisite 2 --> |
| 42 | +- <!-- prerequisite n --> |
| 43 | + |
| 44 | +<!-- 5. H2s |
| 45 | +Required. Give each H2 a heading that sets expectations for the content that follows. |
| 46 | +Follow the H2 headings with a sentence about how the section contributes to the whole. |
| 47 | +--> |
| 48 | +To complete the steps in this tutorial, you must have the following resources and roles. |
| 49 | + |
| 50 | +- Log Analytics workspace. |
| 51 | + |
| 52 | +## Set the retention policy for a table |
| 53 | +<!-- Introduction paragraph --> |
| 54 | + |
| 55 | +1. Sign in to the [Azure portal](https://portal.azure.com). |
| 56 | +1. In the Azure portal, search for and open **Log Analytics workspaces". |
| 57 | +1. Select the appropriate workspace. |
| 58 | +1. Under **Settings**, select **Tables**. |
| 59 | +1. On a table like **Syslog**, open the context menu (...). |
| 60 | +1. Select **Manage table**. |
| 61 | +1. Under **Data retention**, enter the following values. |
| 62 | + |
| 63 | + |Field |Value | |
| 64 | + |---------|---------| |
| 65 | + |Workplace settings | Clear the checkbox | |
| 66 | + |Interactive retention | 30 days | |
| 67 | + |Total retention period | 60 days | |
| 68 | + |
| 69 | +1. Select **Save**. |
| 70 | + |
| 71 | + |
| 72 | +## Review data retention and archive policy |
| 73 | + |
| 74 | +On the **Tables** page for the table you updated, review the field values for **Interactive retention** and **Archive period**. The archive period equals the total retention period in days minus the interactive retention in days. For example, you set the following values: |
| 75 | + |
| 76 | + |Field |Value | |
| 77 | + |---------|---------| |
| 78 | + |Interactive retention | 30 days | |
| 79 | + |Total retention period | 60 days | |
| 80 | + |
| 81 | +So the **Table** page shows the following an archive period of 30 days. |
| 82 | + |
| 83 | + |
| 84 | +## Clean up resources |
| 85 | + |
| 86 | +No resources were created but you might want to restore the data retention settings you changed. |
| 87 | + |
| 88 | +## Next steps |
| 89 | + |
| 90 | +> [!div class="nextstepaction"] |
| 91 | +> [Data collection rules in Azure Monitor](/azure/azure-monitor/essentials/data-collection-rule-overview) |
0 commit comments