Log Analytics workspace data export in Azure Monitor - Azure Monitor (2024)

Table of Contents
In this article Overview Other export options Limitations Data completeness Pricing model Export destinations Storage Account Event Hubs Query exported data Enable data export Register the resource provider Allow trusted Microsoft services Monitor destinations Create or update a data export rule View data export rule configuration Disable or update an export rule Delete an export rule View all data export rules in a workspace Unsupported tables Supported tables Next steps FAQs
  • Article

Data export in a Log Analytics workspace lets you continuously export data per selected tables in your workspace. You can export to an Azure Storage Account or Azure Event Hubs as the data arrives to an Azure Monitor pipeline. This article provides details on this feature and steps to configure data export in your workspaces.

Overview

Data in Log Analytics is available for the retention period defined in your workspace. It's used in various experiences provided in Azure Monitor and Azure services. There are cases where you need to use other tools:

  • Tamper-protected store compliance: Data can't be altered in Log Analytics after it's ingested, but it can be purged. Export to a Storage Account set with immutability policies to keep data tamper protected.
  • Integration with Azure services and other tools: Export to Event Hubs as data arrives and is processed in Azure Monitor.
  • Long-term retention of audit and security data: Export to a Storage Account in the workspace's region. Or you can replicate data to other regions by using any of the Azure Storage redundancy options including GRS and GZRS.

After you've configured data export rules in a Log Analytics workspace, new data for tables in rules is exported from the Azure Monitor pipeline to your Storage Account or Event Hubs as it arrives. Data export traffic is in Azure backbone network and doesn't leave the Azure network.

Data is exported without a filter. For example, when you configure a data export rule for a SecurityEvent table, all data sent to the SecurityEvent table is exported starting from the configuration time. Alternatively, you can filter or modify exported data by configuring transformations in your workspace, which apply to incoming data, before it's sent to your Log Analytics workspaces and to export destinations.

Other export options

Log Analytics workspace data export continuously exports data that's sent to your Log Analytics workspace. There are other options to export data for particular scenarios:

  • Configure diagnostic settings in Azure resources. Logs are sent to a destination directly. This approach has lower latency compared to data export in Log Analytics.
  • Schedule export of data based on a log query you define with the Log Analytics query API. Use Azure Data Factory, Azure Functions, or Azure Logic Apps to orchestrate queries in your workspace and export data to a destination. This method is similar to the data export feature, but you can use it to export historical data from your workspace by using filters and aggregation. This method is subject to log query limits and isn't intended for scale. For more information, see Export data from a Log Analytics workspace to a Storage Account by using Logic Apps.
  • One-time export to a local machine by using a PowerShell script. For more information, see Invoke-AzOperationalInsightsQueryExport.

Limitations

  • Custom logs created using the HTTP Data Collector API can't be exported, including text-based logs consumed by Log Analytics agent. Custom logs created using data collection rules, including text-based logs, can be exported.
  • Data export will gradually support more tables, but is currently limited to tables specified in the supported tables section. You can include tables that aren't yet supported in rules, but no data will be exported for them until the tables are supported.
  • You can define up to 10 enabled rules in your workspace, each can include multiple tables. You can create more rules in workspace in disabled state.
  • Destinations must be in the same region as the Log Analytics workspace.
  • The Storage Account must be unique across rules in the workspace.
  • Table names can be 60 characters long when you're exporting to a Storage Account. They can be 47 characters when you're exporting to Event Hubs. Tables with longer names won't be exported.
  • Export to Premium Storage Account isn't supported.

Data completeness

Data export is optimized to move large data volume to your destinations. The export operation might fail if the destination doesn't have sufficient capacity or is unavailable. In the event of failure, the retry process continues for up to 12 hours. For more information about destination limits and recommended alerts, see Create or update a data export rule. If the destinations are still unavailable after the retry period, the data is discarded. In certain cases, retry can cause duplication of a fraction of the exported records.

Pricing model

Data export charges are based on the number of bytes exported to destinations in JSON formatted data, and measured in GB (10^9 bytes). Size calculation in workspace query can't correspond with export charges since doesn't include the JSON formatted data. You can use PowerShell to calculate the total billing size of a blob container.

For more information, including the data export billing timeline, see Azure Monitor pricing. Billing for Data Export was enabled in early October 2023.

Export destinations

The data export destination must be available before you create export rules in your workspace. Destinations don't have to be in the same subscription as your workspace. When you use Azure Lighthouse, it's also possible to send data to destinations in another Microsoft Entra tenant.

You need to have write permissions to both workspace and destination to configure a data export rule on any table in a workspace. The shared access policy for the Event Hubs namespace defines the permissions that the streaming mechanism has. Streaming to Event Hubs requires manage, send, and listen permissions. To update the export rule, you must have the ListKey permission on that Event Hubs authorization rule.

Storage Account

Avoid using existing Storage Account that has other non-monitoring data, to better control access to the data, prevent reaching storage ingress rate limit failures, and latency.

To send data to an immutable Storage Account, set the immutable policy for the Storage Account as described in Set and manage immutability policies for Azure Blob Storage. You must follow all steps in this article, including enabling protected append blobs writes.

The Storage Account can't be Premium, must be StorageV1 or later, and located in the same region as your workspace. If you need to replicate your data to other Storage Accounts in other regions, you can use any of the Azure Storage redundancy options, including GRS and GZRS.

Data is sent to Storage Accounts as it reaches Azure Monitor and exported to destinations located in a workspace region. A container is created for each table in the Storage Account with the name am- followed by the name of the table. For example, the table SecurityEvent would send to a container named am-SecurityEvent.

See Also
Microsoft Azure Application Insights vs Log AnalyticsLog Analytics Agent deprecation - Prepare for the endAzure Application Insights vs Azure Monitor | What are the differences?Azure Monitor Agent overview - Azure Monitor

Blobs are stored in 5-minute folders in the following path structure: WorkspaceResourceId=/subscriptions/subscription-id/resourcegroups/<resource-group>/providers/microsoft.operationalinsights/workspaces/<workspace>/y=<four-digit numeric year>/m=<two-digit numeric month>/d=<two-digit numeric day>/h=<two-digit 24-hour clock hour>/m=<two-digit 60-minute clock minute>/PT05M.json. Appends to blobs are limited to 50-K writes. More blobs will be added in the folder as PT05M_#.json*, where '#' is the incremental blob count.

Note

Appends to blobs are written based on the "TimeGenerated" field and occur when receiving source data. Data arriving to Azure Monitor with delay, or retried following destinations throttling, is written to blobs according to its TimeGenerated.

The format of blobs in a Storage Account is in JSON lines, where each record is delimited by a new line, with no outer records array and no commas between JSON records.

Event Hubs

Avoid using existing Event Hub that has non-monitoring data to prevent reaching the Event Hubs namespace ingress rate limit failures, and latency.

Data is sent to your Event Hub as it reaches Azure Monitor and is exported to destinations located in a workspace region. You can create multiple export rules to the same Event Hubs namespace by providing a different Event Hub name in the rule. When an Event Hub name isn't provided, a default Event Hub is created for tables that you export with the name am- followed by the name of the table. For example, the table SecurityEvent would be sent to an Event Hub named am-SecurityEvent.

The number of supported Event Hubs in Basic and Standard namespace tiers is 10. When you're exporting more than 10 tables to these tiers, either split the tables between several export rules to different Event Hubs namespaces or provide an Event Hub name to export all tables to it.

Note

  • The Basic Event Hubs namespace tier is limited. It supports lower event size and no Auto-inflate option to automatically scale up and increase the number of throughput units. Because data volume to your workspace increases over time and as a consequence Event Hub scaling is required, use Standard, Premium, or Dedicated Event Hubs tiers with the Auto-inflate feature enabled. For more information, see Automatically scale up Azure Event Hubs throughput units.
  • Data export can't reach Event Hubs resources when virtual networks are enabled. You have to select the Allow Azure services on the trusted services list to access this Storage Account checkbox to bypass this firewall setting in an Event Hub to grant access to your Event Hubs.

Query exported data

Exporting data from workspaces to Storage Accounts help satisfy various scenarios mentioned in overview, and can be consumed by tools that can read blobs from Storage Accounts. The following methods let you query data using Log Analytics query language, which is the same for Azure Data Explorer.

  1. Use Azure Data Explorer to query data in Azure Data Lake.
  2. Use Azure Data Explorer to ingest data from a Storage Account.
  3. Use Log Analytics workspace to query ingested data using Logs Ingestion API . Ingested data is to a custom log table and not to the original table.

Enable data export

The following steps must be performed to enable Log Analytics data export. For more information on each, see the following sections:

  • Register the resource provider
  • Allow trusted Microsoft services
  • Create or update a data export rule

Register the resource provider

The Azure resource provider Microsoft.Insights needs to be registered in your subscription to enable Log Analytics data export.

This resource provider is probably already registered for most Azure Monitor users. To verify, go to Subscriptions in the Azure portal. Select your subscription and then select Resource providers under the Settings section of the menu. Locate Microsoft.Insights. If its status is Registered, then it's already registered. If not, select Register to register it.

You can also use any of the available methods to register a resource provider as described in Azure resource providers and types. The following sample command uses the Azure CLI:

az provider register --namespace 'Microsoft.insights'

The following sample command uses PowerShell:

See Also
Query and view logs overview  |  Cloud Logging  |  Google Cloud

Register-AzResourceProvider -ProviderNamespace Microsoft.insights

Allow trusted Microsoft services

If you've configured your Storage Account to allow access from selected networks, you need to add an exception to allow Azure Monitor to write to the account. From Firewalls and virtual networks for your Storage Account, select Allow Azure services on the trusted services list to access this Storage Account.

Monitor destinations

Important

Export destinations have limits and should be monitored to minimize throttling, failures, and latency. For more information, see Storage Account scalability and Event Hubs namespace quotas.

The following metrics are available for data export operation and alerts

Metric nameDescription
Bytes ExportedTotal number of bytes exported to destination from Log Analytics workspace within the selected time range. The size of data exported is the number of bytes in the exported JSON formatted data. 1 GB = 10^9 bytes.
Export FailuresTotal number of failed export requests to destination from Log Analytics workspace within the selected time range. This number includes export attempts failures due to destination resource throttling, forbidden access error, or any server error. A retry process handles failed attempts and the number isn’t an indication for missing data.
Records exportedTotal number of records exported from Log Analytics workspace within the selected time range. This number counts records for operations that ended with success.

Monitor a Storage Account

  1. Use a separate Storage Account for export.

  2. Configure an alert on the metric:

    ScopeMetric namespaceMetricAggregationThreshold
    storage-nameAccountIngressSum80% of maximum ingress per alert evaluation period. For example, the limit is 60 Gbps for general-purpose v2 in West US. The alert threshold is 1676 GiB per 5-minute evaluation period.

  3. Alert remediation actions:

    • Use a separate Storage Account for export that isn't shared with non-monitoring data.
    • Azure Storage Standard accounts support higher ingress limit by request. To request an increase, contact Azure Support.
    • Split tables between more Storage Accounts.

Monitor Event Hubs

  1. Configure alerts on the metrics:

    ScopeMetric namespaceMetricAggregationThreshold
    namespaces-nameEvent Hubs standard metricsIncoming bytesSum80% of maximum ingress per alert evaluation period. For example, the limit is 1 MB/s per unit (TU or PU) and five units used. The threshold is 228 MiB per 5-minute evaluation period.
    namespaces-nameEvent Hubs standard metricsIncoming requestsCount80% of maximum events per alert evaluation period. For example, the limit is 1,000/s per unit (TU or PU) and five units used. The threshold is 1,200,000 per 5-minute evaluation period.
    namespaces-nameEvent Hubs standard metricsQuota exceeded errorsCountBetween 1% of request. For example, requests per 5 minutes is 600,000. The threshold is 6,000 per 5-minute evaluation period.

  2. Alert remediation actions:

    • Use a separate Event Hubs namespace for export that isn't shared with non-monitoring data.
    • Configure the Auto-inflate feature to automatically scale up and increase the number of throughput units to meet usage needs.
    • Verify the increase of throughput units to accommodate data volume.
    • Split tables between more namespaces.
    • Use Premium or Dedicated tiers for higher throughput.

Create or update a data export rule

A data export rule defines the destination and tables for which data is exported. The rule provisioning takes about 30 minutes before the export operation initiated. Data export rules considerations:

  • The Storage Account must be unique across rules in the workspace.
  • Multiple rules can use the same Event Hubs namespace when you're sending to separate Event Hubs.
  • Export to a Storage Account: A separate container is created in the Storage Account for each table.
  • Export to Event Hubs: If an Event Hub name isn't provided, a separate Event Hub is created for each table. The number of supported Event Hubs in Basic and Standard namespace tiers is 10. When you're exporting more than 10 tables to these tiers, either split the tables between several export rules to different Event Hubs namespaces or provide an Event Hub name in the rule to export all tables to it.
  • Azure portal
  • PowerShell
  • Azure CLI
  • REST
  • Template

  1. On the Log Analytics workspace menu in the Azure portal, select Data Export under the Settings section. Select New export rule at the top of the pane.

  2. Follow the steps, and then select Create. Only the tables with data in them are displayed under "Source" tab.

View data export rule configuration

  • Azure portal
  • PowerShell
  • Azure CLI
  • REST
  • Template

  1. On the Log Analytics workspace menu in the Azure portal, select Data Export under the Settings section.

  2. Select a rule for a configuration view.

Disable or update an export rule

  • Azure portal
  • PowerShell
  • Azure CLI
  • REST
  • Template

You can disable export rules to stop the export for a certain period, such as when testing is being held. On the Log Analytics workspace menu in the Azure portal, select Data Export under the Settings section. Select the Status toggle to disable or enable the export rule.

Delete an export rule

  • Azure portal
  • PowerShell
  • Azure CLI
  • REST
  • Template

On the Log Analytics workspace menu in the Azure portal, select Data Export under the Settings section. Select the ellipsis to the right of the rule and select Delete.

View all data export rules in a workspace

  • Azure portal
  • PowerShell
  • Azure CLI
  • REST
  • Template

On the Log Analytics workspace menu in the Azure portal, select Data Export under the Settings section to view all export rules in the workspace.

Unsupported tables

If the data export rule includes an unsupported table, the configuration will succeed, but no data will be exported for that table. If the table is later supported, then its data will be exported at that time.

Supported tables

Note

We are in a process of adding support for more tables. Please check this article regularly.

TableLimitations
AACAudit
AACHttpRequest
AADB2CRequestLogs
AADCustomSecurityAttributeAuditLogs
AADDomainServicesAccountLogon
AADDomainServicesAccountManagement
AADDomainServicesDirectoryServiceAccess
AADDomainServicesDNSAuditsDynamicUpdates
AADDomainServicesDNSAuditsGeneral
AADDomainServicesLogonLogoff
AADDomainServicesPolicyChange
AADDomainServicesPrivilegeUse
AADManagedIdentitySignInLogs
AADNonInteractiveUserSignInLogs
AADProvisioningLogs
AADRiskyServicePrincipals
AADRiskyUsers
AADServicePrincipalRiskEvents
AADServicePrincipalSignInLogs
AADUserRiskEvents
ABSBotRequests
ACICollaborationAudit
ACRConnectedClientList
ACSAuthIncomingOperations
ACSBillingUsage
ACSCallAutomationIncomingOperations
ACSCallAutomationMediaSummary
ACSCallClientMediaStatsTimeSeries
ACSCallClientOperations
ACSCallClosedCaptionsSummary
ACSCallDiagnostics
ACSCallRecordingIncomingOperations
ACSCallRecordingSummary
ACSCallSummary
ACSCallSurvey
ACSChatIncomingOperations
ACSEmailSendMailOperational
ACSEmailStatusUpdateOperational
ACSEmailUserEngagementOperational
ACSJobRouterIncomingOperations
ACSNetworkTraversalDiagnostics
ACSNetworkTraversalIncomingOperations
ACSRoomsIncomingOperations
ACSSMSIncomingOperations
ADAssessmentRecommendation
AddonAzureBackupAlerts
AddonAzureBackupJobs
AddonAzureBackupPolicy
AddonAzureBackupProtectedInstance
AddonAzureBackupStorage
ADFActivityRun
ADFAirflowSchedulerLogs
ADFAirflowTaskLogs
ADFAirflowWebLogs
ADFAirflowWorkerLogs
ADFPipelineRun
ADFSandboxActivityRun
ADFSandboxPipelineRun
ADFSSignInLogs
ADFSSISIntegrationRuntimeLogs
ADFSSISPackageEventMessageContext
ADFSSISPackageEventMessages
ADFSSISPackageExecutableStatistics
ADFSSISPackageExecutionComponentPhases
ADFSSISPackageExecutionDataStatistics
ADFTriggerRun
ADPAudit
ADPDiagnostics
ADPRequests
ADReplicationResult
ADSecurityAssessmentRecommendation
ADTDataHistoryOperation
ADTDigitalTwinsOperation
ADTEventRoutesOperation
ADTModelsOperation
ADTQueryOperation
ADXCommand
ADXIngestionBatching
ADXJournal
ADXQuery
ADXTableDetails
ADXTableUsageStatistics
AegDataPlaneRequests
AegDeliveryFailureLogs
AegPublishFailureLogs
AEWAssignmentBlobLogs
AEWAuditLogs
AEWComputePipelinesLogs
AFSAuditLogs
AGCAccessLogs
AgriFoodApplicationAuditLogs
AgriFoodFarmManagementLogs
AgriFoodFarmOperationLogs
AgriFoodInsightLogs
AgriFoodJobProcessedLogs
AgriFoodModelInferenceLogs
AgriFoodProviderAuthLogs
AgriFoodSatelliteLogs
AgriFoodSensorManagementLogs
AgriFoodWeatherLogs
AGSGrafanaLoginEvents
AGWAccessLogs
AGWFirewallLogs
AGWPerformanceLogs
AHDSDicomAuditLogs
AHDSDicomDiagnosticLogs
AHDSMedTechDiagnosticLogs
AirflowDagProcessingLogs
AKSAudit
AKSAuditAdmin
AKSControlPlane
ALBHealthEvent
AlertPartial support. Data ingestion for Zabbix alerts isn't supported.
AlertEvidence
AlertInfo
AmlComputeClusterEvent
AmlComputeCpuGpuUtilization
AmlComputeInstanceEvent
AmlComputeJobEvent
AmlDataLabelEvent
AmlDataSetEvent
AmlDataStoreEvent
AmlDeploymentEvent
AmlEnvironmentEvent
AmlInferencingEvent
AmlModelsEvent
AmlOnlineEndpointConsoleLog
AmlOnlineEndpointEventLog
AmlOnlineEndpointTrafficLog
AmlPipelineEvent
AmlRegistryReadEventsLog
AmlRegistryWriteEventsLog
AmlRunEvent
AmlRunStatusChangedEvent
AMSKeyDeliveryRequests
AMSLiveEventOperations
AMSMediaAccountHealth
AMSStreamingEndpointRequests
AMWMetricsUsageDetails
ANFFileAccess
Anomalies
AOIDatabaseQuery
AOIDigestion
AOIStorage
ApiManagementGatewayLogs
ApiManagementWebSocketConnectionLogs
AppAvailabilityResults
AppBrowserTimings
AppCenterError
AppDependencies
AppEnvSpringAppConsoleLogs
AppEvents
AppExceptions
AppMetrics
AppPageViews
AppPerformanceCounters
AppPlatformBuildLogs
AppPlatformContainerEventLogs
AppPlatformIngressLogs
AppPlatformLogsforSpring
AppPlatformSystemLogs
AppRequests
AppServiceAntivirusScanAuditLogs
AppServiceAppLogs
AppServiceAuditLogs
AppServiceAuthenticationLogs
AppServiceConsoleLogs
AppServiceEnvironmentPlatformLogs
AppServiceFileAuditLogs
AppServiceHTTPLogs
AppServiceIPSecAuditLogs
AppServicePlatformLogs
AppServiceServerlessSecurityPluginData
AppSystemEvents
AppTraces
ArcK8sAudit
ArcK8sAuditAdmin
ArcK8sControlPlane
ASCAuditLogs
ASCDeviceEvents
ASimAuditEventLogs
ASimAuthenticationEventLogs
ASimDhcpEventLogs
ASimDnsActivityLogs
ASimFileEventLogs
ASimNetworkSessionLogs
ASimProcessEventLogs
ASimRegistryEventLogs
ASimUserManagementActivityLogs
ASimWebSessionLogs
ASRJobs
ASRReplicatedItems
ATCExpressRouteCircuitIpfix
AuditLogs
AutoscaleEvaluationsLog
AutoscaleScaleActionsLog
AVNMConnectivityConfigurationChange
AVNMIPAMPoolAllocationChange
AVNMNetworkGroupMembershipChange
AVNMRuleCollectionChange
AVSSyslog
AWSCloudTrail
AWSCloudWatch
AWSGuardDuty
AWSVPCFlow
AZFWApplicationRule
AZFWApplicationRuleAggregation
AZFWDnsQuery
AZFWFatFlow
AZFWFlowTrace
AZFWIdpsSignature
AZFWInternalFqdnResolutionFailure
AZFWNatRule
AZFWNatRuleAggregation
AZFWNetworkRule
AZFWNetworkRuleAggregation
AZFWThreatIntel
AZKVAuditLogs
AZKVPolicyEvaluationDetailsLogs
AZMSApplicationMetricLogs
AZMSArchiveLogs
AZMSAutoscaleLogs
AZMSCustomerManagedKeyUserLogs
AZMSDiagnosticErrorLogs
AZMSHybridConnectionsEvents
AZMSKafkaCoordinatorLogs
AZMSKafkaUserErrorLogs
AZMSOperationalLogs
AZMSRunTimeAuditLogs
AZMSVnetConnectionEvents
AzureAssessmentRecommendation
AzureAttestationDiagnostics
AzureBackupOperations
AzureDevOpsAuditing
AzureLoadTestingOperation
AzureMetricsV2
BehaviorAnalytics
CassandraAudit
CassandraLogs
CCFApplicationLogs
CDBCassandraRequests
CDBControlPlaneRequests
CDBDataPlaneRequests
CDBGremlinRequests
CDBMongoRequests
CDBPartitionKeyRUConsumption
CDBPartitionKeyStatistics
CDBQueryRuntimeStatistics
ChaosStudioExperimentEventLogs
CHSMManagementAuditLogs
CIEventsAudit
CIEventsOperational
CloudAppEvents
CommonSecurityLog
ComputerGroup
ConfidentialWatchlist
ConfigurationDataPartial support. Some of the data is ingested through internal services that aren't supported in export. Currently, this portion is missing in export.
ContainerAppConsoleLogs
ContainerAppSystemLogs
ContainerEvent
ContainerImageInventory
ContainerInstanceLog
ContainerInventory
ContainerLog
ContainerLogV2
ContainerNodeInventory
ContainerRegistryLoginEvents
ContainerRegistryRepositoryEvents
ContainerServiceLog
CoreAzureBackup
DatabricksAccounts
DatabricksBrickStoreHttpGateway
DatabricksCapsule8Dataplane
DatabricksClamAVScan
DatabricksCloudStorageMetadata
DatabricksClusterLibraries
DatabricksClusters
DatabricksDashboards
DatabricksDataMonitoring
DatabricksDBFS
DatabricksDeltaPipelines
DatabricksFeatureStore
DatabricksFilesystem
DatabricksGenie
DatabricksGitCredentials
DatabricksGlobalInitScripts
DatabricksIAMRole
DatabricksIngestion
DatabricksInstancePools
DatabricksJobs
DatabricksLineageTracking
DatabricksMarketplaceConsumer
DatabricksMLflowAcledArtifact
DatabricksMLflowExperiment
DatabricksModelRegistry
DatabricksNotebook
DatabricksPartnerHub
DatabricksPredictiveOptimization
DatabricksRemoteHistoryService
DatabricksRepos
DatabricksSecrets
DatabricksServerlessRealTimeInference
DatabricksSQLPermissions
DatabricksSSH
DatabricksUnityCatalog
DatabricksWebTerminal
DatabricksWorkspace
DatabricksWorkspaceLogs
DataTransferOperations
DataverseActivity
DCRLogErrors
DCRLogTroubleshooting
DevCenterBillingEventLogs
DevCenterDiagnosticLogs
DevCenterResourceOperationLogs
DeviceEvents
DeviceFileCertificateInfo
DeviceFileEvents
DeviceImageLoadEvents
DeviceInfo
DeviceLogonEvents
DeviceNetworkEvents
DeviceNetworkInfo
DeviceProcessEvents
DeviceRegistryEvents
DeviceTvmSecureConfigurationAssessment
DeviceTvmSecureConfigurationAssessmentKB
DeviceTvmSoftwareInventory
DeviceTvmSoftwareVulnerabilities
DeviceTvmSoftwareVulnerabilitiesKB
DnsEvents
DnsInventory
DNSQueryLogs
DSMAzureBlobStorageLogs
DSMDataClassificationLogs
DSMDataLabelingLogs
Dynamics365Activity
DynamicSummary
EGNFailedMqttConnections
EGNFailedMqttPublishedMessages
EGNFailedMqttSubscriptions
EGNMqttDisconnections
EGNSuccessfulMqttConnections
EmailAttachmentInfo
EmailEvents
EmailPostDeliveryEvents
EmailUrlInfo
EnrichedMicrosoft365AuditLogs
ETWEventPartial support. Data arriving from the Log Analytics agent or Azure Monitor Agent is fully supported in export. Data arriving via the Diagnostics extension agent is collected through storage. This path isn't supported in export.
EventPartial support. Data arriving from the Log Analytics agent or Azure Monitor Agent is fully supported in export. Data arriving via the Diagnostics extension agent is collected through storage. This path isn't supported in export.
ExchangeAssessmentRecommendation
ExchangeOnlineAssessmentRecommendation
FailedIngestion
FunctionAppLogs
GCPAuditLogs
GoogleCloudSCC
HDInsightAmbariClusterAlerts
HDInsightAmbariSystemMetrics
HDInsightGatewayAuditLogs
HDInsightHadoopAndYarnLogs
HDInsightHadoopAndYarnMetrics
HDInsightHBaseLogs
HDInsightHBaseMetrics
HDInsightHiveAndLLAPLogs
HDInsightHiveAndLLAPMetrics
HDInsightHiveQueryAppStats
HDInsightHiveTezAppStats
HDInsightJupyterNotebookEvents
HDInsightKafkaLogs
HDInsightKafkaMetrics
HDInsightOozieLogs
HDInsightRangerAuditLogs
HDInsightSecurityLogs
HDInsightSparkApplicationEvents
HDInsightSparkBlockManagerEvents
HDInsightSparkEnvironmentEvents
HDInsightSparkExecutorEvents
HDInsightSparkExtraEvents
HDInsightSparkJobEvents
HDInsightSparkLogs
HDInsightSparkSQLExecutionEvents
HDInsightSparkStageEvents
HDInsightSparkStageTaskAccumulables
HDInsightSparkTaskEvents
HDInsightStormLogs
HDInsightStormMetrics
HDInsightStormTopologyMetrics
HealthStateChangeEvent
Heartbeat
HuntingBookmark
IdentityDirectoryEvents
IdentityInfo
IdentityLogonEvents
IdentityQueryEvents
InsightsMetricsPartial support. Some of the data is ingested through internal services that aren't supported in export. Currently, this portion is missing in export.
IntuneAuditLogs
IntuneDeviceComplianceOrg
IntuneDevices
IntuneOperationalLogs
KubeEvents
KubeHealth
KubeMonAgentEvents
KubeNodeInventory
KubePodInventory
KubePVInventory
KubeServices
LAQueryLogs
LASummaryLogs
LinuxAuditLog
LogicAppWorkflowRuntime
McasShadowItReporting
MCCEventLogs
MCVPAuditLogs
MCVPOperationLogs
MDCFileIntegrityMonitoringEvents
MDECustomCollectionDeviceFileEvents
MicrosoftAzureBastionAuditLogs
MicrosoftDataShareReceivedSnapshotLog
MicrosoftDataShareSentSnapshotLog
MicrosoftDataShareShareLog
MicrosoftGraphActivityLogs
MicrosoftHealthcareApisAuditLogs
MicrosoftPurviewInformationProtection
MNFDeviceUpdates
MNFSystemSessionHistoryUpdates
MNFSystemStateMessageUpdates
NCBMBreakGlassAuditLogs
NCBMSecurityDefenderLogs
NCBMSecurityLogs
NCBMSystemLogs
NCCKubernetesLogs
NCCVMOrchestrationLogs
NCSStorageAlerts
NCSStorageLogs
NetworkAccessTraffic
NetworkMonitoring
NGXOperationLogs
NSPAccessLogs
NTAInsights
NTAIpDetails
NTANetAnalytics
NTATopologyDetails
NWConnectionMonitorDestinationListenerResult
NWConnectionMonitorDNSResult
NWConnectionMonitorPathResult
NWConnectionMonitorTestResult
OEPAirFlowTask
OEPAuditLogs
OEPDataplaneLogs
OEPElasticOperator
OEPElasticsearch
OfficeActivity
OLPSupplyChainEntityOperations
OLPSupplyChainEvents
OperationPartial support. Some of the data is ingested through internal services that aren't supported in export. Currently, this portion is missing in export.
Perf
PFTitleAuditLogs
PowerAppsActivity
PowerAutomateActivity
PowerBIActivity
PowerBIAuditTenant
PowerBIDatasetsTenant
PowerBIDatasetsWorkspace
PowerBIReportUsageWorkspace
PowerPlatformAdminActivity
PowerPlatformConnectorActivity
PowerPlatformDlpActivity
ProjectActivity
PurviewDataSensitivityLogs
PurviewScanStatusLogs
PurviewSecurityLogs
REDConnectionEvents
RemoteNetworkHealthLogs
ResourceManagementPublicAccessLogs
SCCMAssessmentRecommendation
SCOMAssessmentRecommendation
SecureScoreControls
SecureScores
SecurityAlert
SecurityAttackPathData
SecurityBaseline
SecurityBaselineSummary
SecurityDetection
SecurityEvent
SecurityIncident
SecurityIoTRawEvent
SecurityNestedRecommendation
SecurityRecommendation
SecurityRegulatoryCompliance
SentinelAudit
SentinelHealth
ServiceFabricOperationalEventPartial support. Data arriving from the Log Analytics agent or Azure Monitor Agent is fully supported in export. Data arriving via the Diagnostics extension agent is collected through storage. This path isn't supported in export.
ServiceFabricReliableActorEventPartial support. Data arriving from the Log Analytics agent or Azure Monitor Agent is fully supported in export. Data arriving via the Diagnostics extension agent is collected through storage. This path isn't supported in export.
ServiceFabricReliableServiceEventPartial support. Data arriving from the Log Analytics agent or Azure Monitor Agent is fully supported in export. Data arriving via the Diagnostics extension agent is collected through storage. This path isn't supported in export.
SfBAssessmentRecommendation
SharePointOnlineAssessmentRecommendation
SignalRServiceDiagnosticLogs
SigninLogs
SPAssessmentRecommendation
SQLAssessmentRecommendation
SqlAtpStatus
SQLSecurityAuditEvents
SqlVulnerabilityAssessmentScanStatus
StorageBlobLogs
StorageCacheOperationEvents
StorageCacheUpgradeEvents
StorageCacheWarningEvents
StorageFileLogs
StorageMalwareScanningResults
StorageMoverCopyLogsFailed
StorageMoverCopyLogsTransferred
StorageMoverJobRunLogs
StorageQueueLogs
StorageTableLogs
SucceededIngestion
SynapseBigDataPoolApplicationsEnded
SynapseBuiltinSqlPoolRequestsEnded
SynapseDXCommand
SynapseDXFailedIngestion
SynapseDXIngestionBatching
SynapseDXQuery
SynapseDXSucceededIngestion
SynapseDXTableDetails
SynapseDXTableUsageStatistics
SynapseGatewayApiRequests
SynapseIntegrationActivityRuns
SynapseIntegrationPipelineRuns
SynapseIntegrationTriggerRuns
SynapseLinkEvent
SynapseRbacOperations
SynapseScopePoolScopeJobsEnded
SynapseScopePoolScopeJobsStateChange
SynapseSqlPoolDmsWorkers
SynapseSqlPoolExecRequests
SynapseSqlPoolRequestSteps
SynapseSqlPoolSqlRequests
SynapseSqlPoolWaits
Syslog
ThreatIntelligenceIndicator
TSIIngress
UCClient
UCClientReadinessStatus
UCClientUpdateStatus
UCDeviceAlert
UCDOAggregatedStatus
UCDOStatus
UCServiceUpdateStatus
UCUpdateAlert
UpdatePartial support. Some of the data is ingested through internal services that aren't supported in export. Currently, this portion is missing in export.
UpdateRunProgress
UpdateSummary
UrlClickEvents
Usage
UserAccessAnalytics
UserPeerAnalytics
VCoreMongoRequests
VIAudit
VIIndexing
VMConnectionPartial support. Some of the data is ingested through internal services that aren't supported in export. Currently, this portion is missing in export.
W3CIISLogPartial support. Data arriving from the Log Analytics agent or Azure Monitor Agent is fully supported in export. Data arriving via the Diagnostics extension agent is collected through storage. This path isn't supported in export.
WaaSDeploymentStatus
WaaSInsiderStatus
WaaSUpdateStatus
Watchlist
WebPubSubConnectivity
WebPubSubHttpRequest
WebPubSubMessaging
Windows365AuditLogs
WindowsClientAssessmentRecommendation
WindowsEvent
WindowsFirewall
WindowsServerAssessmentRecommendation
WireDataPartial support. Some of the data is ingested through internal services that aren't supported in export. Currently, this portion is missing in export.
WorkloadDiagnosticLogs
WUDOAggregatedStatus
WUDOStatus
WVDAgentHealthStatus
WVDAutoscaleEvaluationPooled
WVDCheckpoints
WVDConnectionGraphicsDataPreview
WVDConnectionNetworkData
WVDConnections
WVDErrors
WVDFeeds
WVDHostRegistrations
WVDManagement
WVDSessionHostManagement

Next steps

Query the exported data from Azure Data Explorer

Log Analytics workspace data export in Azure Monitor - Azure Monitor (2024)

FAQs

How do I export log analytics workspace in Azure? ›

In the Azure portal, search for and select Log Analytics workspaces, and then select your workspace from the workspace list. In the workspace menu pane, in the Settings section, select Data Export. The list of data export rules appears.

Read On
What does an Azure monitor do once enough data is collected? ›

Azure Monitor collects and aggregates the data from every layer and component of your system across multiple Azure and non-Azure subscriptions and tenants. It stores it in a common data platform for consumption by a common set of tools that can correlate, analyze, visualize, and/or respond to the data.

Discover More Details
How to extract data from log analytics workspace? ›

  1. On the Log Analytics workspace menu in the Azure portal, select Data Export under the Settings section. Select New export rule at the top of the pane.
  2. Follow the steps, and then select Create. Only the tables with data in them are displayed under "Source" tab.
Jun 14, 2024

Continue Reading
Is log analytics workspace part of Azure monitor? ›

Azure Monitor builds on top of Azure Log Analytics, the platform service that gathers log and metrics data from all your resources. The easiest way to think about Azure Monitor vs Log Analytics is that Azure Monitor is the marketing name, whereas Azure Log Analytics is the technology that powers it.

See Details
How do I get log analytics workspace? ›

Use the Log Analytics workspaces menu to create a workspace.
  1. In the Azure portal, enter Log Analytics in the search box. ...
  2. Select Add.
  3. Select a Subscription from the dropdown.
  4. Use an existing Resource Group or create a new one.
  5. Provide a name for the new Log Analytics workspace, such as DefaultLAWorkspace.

Find Out More
Where is log analytics workspace data stored? ›

Each Log Analytics workspace contains multiple tables in which Azure Monitor Logs stores data you collect. Azure Monitor Logs automatically creates tables required to store monitoring data you collect from your Azure environment.

Tell Me More
How do I read data from Azure log analytics? ›

If you start Log Analytics from the Azure Monitor menu or the Log Analytics workspaces menu, you'll have access to all the records in a workspace. If you select Logs from another type of resource, your data will be limited to log data for that resource.

Show Me More
How to see logs in log analytics workspace? ›

Go to the Log Analytics dashboard by clicking on the Dashboard button in the top menu. On the dashboard page, click on the Logs tab in the left menu. To create a chart, click on the Visualize button in the top menu and select the type of chart you want to create.

Explore More
How do I send logs to Azure Log Analytics workspace? ›

Select Export Activity Logs to send the activity log to a Log Analytics workspace. You can send the activity log from any single subscription to up to five workspaces. Activity log data in a Log Analytics workspace is stored in a table called AzureActivity that you can retrieve with a log query in Log Analytics.

Continue Reading
What is the difference between log monitoring and log analytics? ›

Log monitoring and log analytics are related — but different — concepts that work in conjunction. Together, they ensure the health and optimal operation of applications and core services. Whereas log monitoring is the process of tracking logs, log analytics evaluates logs in context to understand their significance.

Show Me More

What's the difference between Azure Monitor Log Analytics and application insights? ›

If we think about the Azure Monitoring Platform/ecosystem, then Log Analytics and App Insights both play a role within that platform as shown below. Log Analytics plays a role in the storage of Log Data and analysis of Log Data. App Insights plays a role in the analysis and insights into log data.

Read The Full Story
What types of data does Azure Monitor collect? ›

Azure Monitor Logs collects logs and performance data where they can be retrieved and analyzed in different ways by using log queries. You must create a Log Analytics workspace to collect log data. Use Log Analytics to analyze data from Azure Monitor Logs.

See Details
How do I export Azure stream analytics? ›

To export a job to a local project, locate the job you want to export in the Stream Analytics Explorer in the Azure portal. From the Query page, select Open in VS Code. And then select Open job in Visual Studio Code.

Get More Info Here
How do I move my log analytics workspace? ›

Move your workspace

Select the resources to move to the same destination subscription and resource group as the workspace. Select a destination Subscription and Resource group. If you're moving the workspace to another resource group in the same subscription, you won't see the Subscription option.

Continue Reading
How do I view logs in Azure Log Analytics workspace? ›

Go to the Log Analytics dashboard by clicking on the Dashboard button in the top menu. On the dashboard page, click on the Logs tab in the left menu. In the search box at the top of the page, enter your query using the Log Analytics query language. Press the Enter key or click the Run button to execute the query.

View More
How do I export CloudWatch log insights? ›

Open the CloudWatch console at https://console.aws.amazon.com/cloudwatch/ .
  • In the navigation pane, choose Logs, and then choose Logs Insights.
  • Choose one or more log groups and run a query.
  • Choose Export results, and then choose the option you want.

View Details
Top Articles
Can You Use a MagSafe Charger Without a MagSafe Case
How Criminals Use Drones to Target Businesses
English Bulldog Puppies For Sale Under 1000 In Florida
Katie Pavlich Bikini Photos
Gamevault Agent
Pieology Nutrition Calculator Mobile
Hocus Pocus Showtimes Near Harkins Theatres Yuma Palms 14
Hendersonville (Tennessee) – Travel guide at Wikivoyage
Compare the Samsung Galaxy S24 - 256GB - Cobalt Violet vs Apple iPhone 16 Pro - 128GB - Desert Titanium | AT&T
Vardis Olive Garden (Georgioupolis, Kreta) ✈️ inkl. Flug buchen
Craigslist Dog Kennels For Sale
Things To Do In Atlanta Tomorrow Night
Non Sequitur
Crossword Nexus Solver
How To Cut Eelgrass Grounded
Pac Man Deviantart
Alexander Funeral Home Gallatin Obituaries
Energy Healing Conference Utah
Geometry Review Quiz 5 Answer Key
Hobby Stores Near Me Now
Icivics The Electoral Process Answer Key
Allybearloves
Bible Gateway passage: Revelation 3 - New Living Translation
Yisd Home Access Center
Pearson Correlation Coefficient
Home
Shadbase Get Out Of Jail
Gina Wilson Angle Addition Postulate
Celina Powell Lil Meech Video: A Controversial Encounter Shakes Social Media - Video Reddit Trend
Walmart Pharmacy Near Me Open
Marquette Gas Prices
A Christmas Horse - Alison Senxation
Ou Football Brainiacs
Access a Shared Resource | Computing for Arts + Sciences
Vera Bradley Factory Outlet Sunbury Products
Pixel Combat Unblocked
Movies - EPIC Theatres
Cvs Sport Physicals
Mercedes W204 Belt Diagram
Mia Malkova Bio, Net Worth, Age & More - Magzica
'Conan Exiles' 3.0 Guide: How To Unlock Spells And Sorcery
Teenbeautyfitness
Where Can I Cash A Huntington National Bank Check
Topos De Bolos Engraçados
Sand Castle Parents Guide
Gregory (Five Nights at Freddy's)
Grand Valley State University Library Hours
Hello – Cornerstone Chapel
Stoughton Commuter Rail Schedule
Nfsd Web Portal
Selly Medaline
Latest Posts
With Hotel Prices Rising in Europe, Airbnb Is Viable Alternative - Biz New Orleans
Property Rights in France
Article information

Author: Arielle Torp

Last Updated:

Views: 6005

Rating: 4 / 5 (41 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Arielle Torp

Birthday: 1997-09-20

Address: 87313 Erdman Vista, North Dustinborough, WA 37563

Phone: +97216742823598

Job: Central Technology Officer

Hobby: Taekwondo, Macrame, Foreign language learning, Kite flying, Cooking, Skiing, Computer programming

Introduction: My name is Arielle Torp, I am a comfortable, kind, zealous, lovely, jolly, colorful, adventurous person who loves writing and wants to share my knowledge and understanding with you.