You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-monitor/logs/parse-text.md
+7-3Lines changed: 7 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,11 +13,16 @@ Some log data collected by Azure Monitor will include multiple pieces of informa
13
13
14
14
This article describes different options for parsing log data in Azure Monitor when the data is ingested and when it's retrieved in a query, comparing the relative advantages for each.
15
15
16
+
## Permissions required
17
+
18
+
- To parse data at collection time, you need `Microsoft.Insights/dataCollectionRuleAssociations/*` permissions, as provided by the [Log Analytics Contributor built-in role](./manage-access.md#log-analytics-contributor), for example.
19
+
- To parse data at query time, you need `Microsoft.OperationalInsights/workspaces/query/*/read` permissions, as provided by the [Log Analytics Reader built-in role](./manage-access.md#log-analytics-reader), for example.
20
+
16
21
## Parsing methods
17
22
You can parse data either at ingestion time when the data is collected or at query time when you analyze the data with a query. Each strategy has unique advantages.
18
23
19
24
### Parse data at collection time
20
-
When you parse data at collection time, you configure [custom fields](../logs/custom-fields.md)that create new properties in the table. Queries don't have to include any parsing logic and use these properties as any other field in the table.
25
+
Use [transformations](../essentials/data-collection-transformations.md)to parse data at collection time and define which columns to send the parsed data to.
21
26
22
27
**Advantages:**
23
28
@@ -28,7 +33,6 @@ When you parse data at collection time, you configure [custom fields](../logs/cu
28
33
29
34
- Must be defined in advance. Can't include data that's already been collected.
30
35
- If you change the parsing logic, it will only apply to new data.
31
-
- Fewer parsing options than available in queries.
32
36
- Increases latency time for collecting data.
33
37
- Errors can be difficult to handle.
34
38
@@ -48,7 +52,7 @@ When you parse data at query time, you include logic in your query to parse data
48
52
- Can create overhead when you run complex logic against very large record sets (billions of records).
49
53
50
54
## Parse data as it's collected
51
-
For more information on parsing data as it's collected, see [Create custom fields in Azure Monitor](../logs/custom-fields.md). This approach creates custom properties in the table that can be used by queries like any other property.
55
+
For more information on parsing data as it's collected, see [Structure of transformation in Azure Monitor](../essentials/data-collection-transformations-structure.md). This approach creates custom properties in the table that can be used by queries like any other property.
52
56
53
57
## Parse data in a query by using patterns
54
58
When the data you want to parse can be identified by a pattern repeated across records, you can use different operators in the [Kusto Query Language](/azure/kusto/query/) to extract the specific piece of data into one or more new properties.
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments