Merge pull request #190720 from guywi-ms/guywi-ms-add-cli-commands

tamarakhader · web-flow · commit fba96c695a61 · 2022-03-10T12:47:49.000+03:00
Update basic-logs-configure.md
diff --git a/articles/azure-monitor/logs/basic-logs-configure.md b/articles/azure-monitor/logs/basic-logs-configure.md
@@ -25,7 +25,10 @@ You can currently configure the following tables for Basic Logs:
 > [!NOTE]
 > Tables created with the [Data Collector API](data-collector-api.md) do not support Basic Logs.
 
+
 ## Set table configuration
+# [API](#tab/api-1)
+
 To configure a table for Basic Logs or Analytics Logs, call the **Tables - Update** API:
 
 ```http
@@ -34,14 +37,17 @@ PATCH https://management.azure.com/subscriptions/<subscriptionId>/resourcegroups
 > [!IMPORTANT]
 > Use the Bearer token for authentication. Read more about [using Bearer tokens](https://social.technet.microsoft.com/wiki/contents/articles/51140.azure-rest-management-api-the-quickest-way-to-get-your-bearer-token.aspx).
 
-### Request body
+**Request body**
+
 |Name | Type | Description |
 | --- | --- | --- |
 |properties.plan | string  | The table plan. Possible values are *Analytics* and *Basic*.|
 
-### Example
+**Example**
+
 This example configures the `ContainerLog` table for Basic Logs.
-#### Sample request
+
+**Sample request**
 
 ```http
 PATCH https://management.azure.com/subscriptions/ContosoSID/resourcegroups/ContosoRG/providers/Microsoft.OperationalInsights/workspaces/ContosoWorkspace/tables/ContainerLog?api-version=2021-12-01-preview
@@ -67,7 +73,8 @@ Use this request body to change to Analytics Logs:
 }
 ```
 
-#### Sample response
+**Sample response**
+
 This is the response for a table changed to Basic Logs.
 
 Status code: 200
@@ -87,6 +94,27 @@ Status code: 200
 }
 ```
 
+# [CLI](#tab/cli-1)
+
+To configure a table for Basic Logs or Analytics Logs, run the [az monitor log-analytics workspace table update](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-update) command and set the `--plan` parameter to `Basic` or `Analytics`.
+
+For example:
+
+- To set Basic Logs:
+
+    ```azurecli
+    az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG  --workspace-name ContosoWorkspace \
+       --name ContainerLog  --plan Basic
+    ```
+
+- To set Analytics Logs:
+
+    ```azurecli
+    az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG  --workspace-name ContosoWorkspace \
+   --name ContainerLog  --plan Analytics
+    ```
+   
+---
 
 ## Check table configuration
 # [Portal](#tab/portal-1)
@@ -148,6 +176,17 @@ Status code: 200
 }
 ```
 
+# [CLI](#tab/cli-2)
+
+To check the configuration of a table, run the [az monitor log-analytics workspace table show](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-show) command.
+
+For example:
+
+```azurecli
+az monitor log-analytics workspace table show --subscription ContosoSID --resource-group ContosoRG  --workspace-name ContosoWorkspace \
+   --name Syslog  --output table \ 
+```
+
 ---
 
 ## Retention and archiving of Basic Logs
diff --git a/articles/azure-monitor/logs/data-retention-archive.md b/articles/azure-monitor/logs/data-retention-archive.md
@@ -37,32 +37,19 @@ To set the default workspace retention policy:
 
 ## Set retention and archive policy by table
 
-You can set retention policies for individual tables, except for workspaces in the legacy Free Trial pricing tier, using Azure Resource Manager APIs. You cannot currently configure data retention for individual tables in the Azure portal.
+You can set retention policies for individual tables, except for workspaces in the legacy Free Trial pricing tier, using Azure Resource Manager APIs. You can’t currently configure data retention for individual tables in the Azure portal.
 
 You can keep data in interactive retention between 4 and 730 days. You can set the archive period for a total retention time of up to 2,555 days (seven years). 
 
-Each table is a sub-resource of the workspace it's in. For example, you can address the `SecurityEvent` table in [Azure Resource Manager](../../azure-resource-manager/management/overview.md) as:
+Each table is a subresource of the workspace it's in. For example, you can address the `SecurityEvent` table in [Azure Resource Manager](../../azure-resource-manager/management/overview.md) as:
 
 ```
 /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables/SecurityEvent
 ```
 
-Note that the table name is case-sensitive. 
+The table name is case-sensitive. 
 
-### Get retention and archive policy by table
-
-To get the retention policy of a particular table (in this example, `SecurityEvent`), Call the **Tables - Get** API:
-
-```JSON
-GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables/SecurityEvent?api-version=2021-12-01-preview
-```
-
-To get all table-level retention policies in your workspace, don't set a table name; for example:
-
-```JSON
-GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables?api-version=2021-12-01-preview
-```
-### Set the retention and archive policy for a table
+# [API](#tab/api-1)
 
 To set the retention and archive duration for a table, call the **Tables - Update** API: 
 
@@ -79,24 +66,26 @@ You can use either PUT or PATCH, with the following difference:
 - The **PUT** API sets *retentionInDays* and *totalRetentionInDays* to the default value if you don't set non-null values.
 - The **PATCH** API doesn't change the *retentionInDays* or *totalRetentionInDays* values if you don't specify values. 
 
+**Request body**
 
-#### Request body
 The request body includes the values in the following table.
 
 |Name | Type | Description |
 | --- | --- | --- |
 |properties.retentionInDays | integer  | The table's data retention in days. This value can be between 4 and 730; or 1095, 1460, 1826, 2191, or 2556. <br/>Setting this property to null will default to the workspace retention. For a Basic Logs table, the value is always 8. | 
 |properties.totalRetentionInDays | integer  | The table's total data retention including archive period. Set this property to null if you don't want to archive data.  | 
 
-#### Example
-The following table sets table retention to workspace default of 30 days, and total of 2 years. This means that the archive duration would be 23 months.
-###### Request
+**Example**
+
+This example sets the table's interactive retention to the workspace default of 30 days, and the total retention to two years. This means the archive duration is 23 months.
+
+**Request**
 
 ```http
 PATCH https://management.azure.com/subscriptions/00000000-0000-0000-0000-00000000000/resourcegroups/testRG/providers/Microsoft.OperationalInsights/workspaces/testWS/tables/CustomLog_CL?api-version=2021-12-01-preview
 ```
 
-#### Request body
+**Request body**
 ```http
 {
     "properties": {
@@ -106,7 +95,7 @@ PATCH https://management.azure.com/subscriptions/00000000-0000-0000-0000-0000000
 }
 ```
 
-###### Response
+**Response**
 
 Status code: 200
 
@@ -121,15 +110,66 @@ Status code: 200
    ...
 }
 ```
+
+# [CLI](#tab/cli-1)
+
+To set the retention and archive duration for a table, run the [az monitor log-analytics workspace table update](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-update) command and pass the `--retention-time` and `--total-retention-time` parameters.
+
+This example sets table's interactive retention to 30 days, and the total retention to two years. This means the archive duration is 23 months:
+
+```azurecli
+az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG  --workspace-name ContosoWorkspace \
+--name AzureMetrics --retention-time 30 --total-retention-time 730
+```
+
+To reapply the workspace's default interactive retention value to the table and reset its total retention to 0, run the [az monitor log-analytics workspace table update](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-update) command with the `--retention-time` and `--total-retention-time` parameters set to `-1`.
+
+For example:
+
+```azurecli
+az monitor log-analytics workspace table update --subscription ContosoSID --resource-group ContosoRG  --workspace-name ContosoWorkspace \
+   --name Syslog --retention-time -1 --total-retention-time -1
+```
+
+---
  
+## Get retention and archive policy by table
+
+# [API](#tab/api-2)
+
+To get the retention policy of a particular table (in this example, `SecurityEvent`), call the **Tables - Get** API:
+
+```JSON
+GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables/SecurityEvent?api-version=2021-12-01-preview
+```
+
+To get all table-level retention policies in your workspace, don't set a table name; for example:
+
+```JSON
+GET /subscriptions/00000000-0000-0000-0000-00000000000/resourceGroups/MyResourceGroupName/providers/Microsoft.OperationalInsights/workspaces/MyWorkspaceName/Tables?api-version=2021-12-01-preview
+```
+
+# [CLI](#tab/cli-2)
+
+To get the retention policy of a particular table, run the [az monitor log-analytics workspace table show](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-show) command.
+
+For example:
+
+```azurecli
+az monitor log-analytics workspace table show --subscription ContosoSID --resource-group ContosoRG  --workspace-name ContosoWorkspace \
+   --name SecurityEvent
+``` 
+
+---
+
 ## Purge retained data
 When you shorten an existing retention policy, it takes several days for Azure Monitor to remove data that you no longer want to keep. 
 
-If you set the data retention policy to 30 days, you can purge older data immediately using the `immediatePurgeDataOn30Days` parameter in Azure Resource Manager. This can be useful when you need to remove personal data immediately. The immediate purge functionality is not available through the Azure portal. 
+If you set the data retention policy to 30 days, you can purge older data immediately using the `immediatePurgeDataOn30Days` parameter in Azure Resource Manager. The purge functionality is useful when you need to remove personal data immediately. The immediate purge functionality isn't available through the Azure portal. 
  
 Note that workspaces with a 30-day retention policy might actually keep data for 31 days if you don't set the `immediatePurgeDataOn30Days` parameter.
 
-You can also purge data from a workspace using the [purge feature](personal-data-mgmt.md#how-to-export-and-delete-private-data), which removes personal data. You cannot purge data from archived logs. 
+You can also purge data from a workspace using the [purge feature](personal-data-mgmt.md#how-to-export-and-delete-private-data), which removes personal data. You can’t purge data from archived logs. 
 
 The Log Analytics [Purge API](/rest/api/loganalytics/workspacepurge/purge) doesn't affect retention billing. **To lower retention costs, decrease the retention period for the workspace or for specific tables.** 
 
diff --git a/articles/azure-monitor/logs/restore.md b/articles/azure-monitor/logs/restore.md
@@ -22,13 +22,17 @@ The restore operation creates the restore table and allocates additional compute
 
 The destination table provides a view of the underlying source data, but does not affect it in any way. The table has no retention setting, and you must explicitly [dismiss the restored data](#dismiss-restored-data) when you no longer need it. 
 
-## Restore data using API
+## Restore data
+
+# [API](#tab/api-1)
 To restore data from a table, call the **Tables - Create or Update** API. The name of the destination table must end with *_RST*.
 
 ```http
 PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/tables/{user defined name}_RST?api-version=2021-12-01-preview
 ```
-### Request body
+
+**Request body**
+
 The body of the request must include the following values:
 
 |Name | Type | Description |
@@ -37,7 +41,8 @@ The body of the request must include the following values:
 |properties.restoredLogs.startRestoreTime | string  | Start of the time range to restore. |
 |properties.restoredLogs.endRestoreTime | string  | End of the time range to restore. |
 
-### Restore table status
+**Restore table status**
+
 The **provisioningState** property indicates the current state of the restore table operation. The API returns this property when you start the restore, and you can retrieve this property later using a GET operation on the table. The **provisioningState** property has one of the following values:
 
 | Value | Description 
@@ -46,7 +51,8 @@ The **provisioningState** property indicates the current state of the restore ta
 | Succeeded | Restore operation completed. |
 | Deleting | Deleting the restored table. |
 
-#### Sample request
+**Sample request**
+
 This sample restores data from the month of January 2020 from the *Usage* table to a table called *Usage_RST*. 
 
 **Request**
@@ -67,21 +73,45 @@ PUT https://management.azure.com/subscriptions/00000000-0000-0000-0000-000000000
   }
 }
 ```
+# [CLI](#tab/cli-1)
 
+To restore data from a table, run the [az monitor log-analytics workspace table restore create](/cli/azure/monitor/log-analytics/workspace/table/restore#az-monitor-log-analytics-workspace-table-restore-create) command.
+
+For example:
+
+```azurecli
+az monitor log-analytics workspace table restore create --subscription ContosoSID --resource-group ContosoRG  --workspace-name ContosoWorkspace \
+   --name Heartbeat_RST --restore-source-table Heartbeat --start-restore-time "2022-01-01T00:00:00.000Z" --end-restore-time "2022-01-08T00:00:00.000Z" --no-wait
+```
+
+---
 ## Dismiss restored data
 
 To save costs, dismiss restored data when you no longer need it by deleting the restored table.
 
+Deleting the restored table does not delete the data in the source table.
+
+> [!NOTE]
+> Restored data is available as long as the underlying source data is available. When you delete the source table from the workspace or when the source table's retention period ends, the data is dismissed from the restored table. However, the empty table will remain if you do not delete it explicitly. 
+
+# [API](#tab/api-2)
 To delete a restore table, call the **Tables - Delete** API:
 
 ```http
 DELETE https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/tables/{user defined name}_RST?api-version=2021-12-01-preview
 ```
-Deleting the restored table does not delete the data in the source table.
+# [CLI](#tab/cli-2)
 
-> [!NOTE]
-> Restored data is available as long as the underlying source data is available. When you delete the source table from the workspace or when the source table's retention period ends, the data is dismissed from the restored table. However, the empty table will remain if you do not delete it explicitly.   
+To delete a restore table, run the [az monitor log-analytics workspace table delete](/cli/azure/monitor/log-analytics/workspace/table#az-monitor-log-analytics-workspace-table-delete) command.
+
+For example:
 
+```azurecli
+az monitor log-analytics workspace table delete --subscription ContosoSID --resource-group ContosoRG  --workspace-name ContosoWorkspace \
+   --name Heartbeat_RST
+```
+
+---
 ## Limitations
 Restore is subject to the following limitations. 
 
diff --git a/articles/azure-monitor/logs/search-jobs.md b/articles/azure-monitor/logs/search-jobs.md
