Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
The Auxiliary table plan lets you ingest and retain data in your Log Analytics workspace at a low cost.
Here's a video that explains some of the uses and benefits of the Auxiliary table plan:
Azure Monitor Logs currently supports the Auxiliary table plan on data collection rule (DCR)-based custom tables to which you send data you collect using Azure Monitor Agent or the Logs ingestion API.
This article explains how to create a new custom table with the Auxiliary plan in your Log Analytics workspace and set up a data collection rule that sends data to this table. For more information about Auxiliary plan concepts, see Azure Monitor Logs table plans.
Prerequisites
To create a custom table and collect log data, you need:
- A Log Analytics workspace where you have at least contributor rights.
- A data collection endpoint (DCE).
- Setting up a table with the Auxiliary plan is only supported on new tables. After you create a table with an Auxiliary plan, you can't switch the table's plan.
Note
Auxiliary logs are generally available (GA) for all public cloud regions except for Qatar Central, and not available for Azure Government or China clouds.
Create a custom table with the Auxiliary plan
To create a custom table, call the Tables - Create API by using this command:
PUT https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{resource_group}/providers/Microsoft.OperationalInsights/workspaces/{workspace_name}/tables/{table name_CL}?api-version=2023-01-01-preview
Note
Only version 2023-01-01-preview of the API allows you to set the Auxiliary table plan.
Provide this payload as the body of your request. Update the table name and adjust the columns based on your table schema. This sample lists all the supported column data types.
{
"properties": {
"schema": {
"name": "table_name_CL",
"columns": [
{"name": "TimeGenerated",
"type": "datetime"},
{"name": "StringProperty",
"type": "string"},
{"name": "IntProperty",
"type": "int"},
{"name": "LongProperty",
"type": "long"},
{"name": "RealProperty",
"type": "real"},
{"name": "BooleanProperty",
"type": "boolean"},
{"name": "GuidProperty",
"type": "guid"},
{"name": "DateTimeProperty",
"type": "datetime"}
]
},
"totalRetentionInDays": 365,
"plan": "Auxiliary"
}
}
Note
- The
TimeGeneratedcolumn only supports the ISO 8601 format with 6 decimal places for precision (nanoseconds). For more information, see supported ISO 8601 datetime format. - Tables with the Auxiliary plan don't support columns with dynamic data.
Send data to a table with the Auxiliary plan
There are currently two ways to ingest data to a custom table with the Auxiliary plan.
- Use the Azure Monitor Agent (AMA)
- Use the logs ingestion API
Use the AMA
If you use this method, your custom table must only have two columns - TimeGenerated (type datetime) and RawData (of type string). The data collection rule sends the entirety of each log entry you collect to the RawData column, and Azure Monitor Logs automatically populates the TimeGenerated column with the time the log is ingested.
For more information on how to use the AMA, see the following articles:
- Collect logs from a text file with Azure Monitor Agent
- Collect logs from a JSON file with Azure Monitor Agent.
Use the logs ingestion API
This method closely follows the steps described in Tutorial: Send data to Azure Monitor using Logs ingestion API.
- Create a custom table with the Auxiliary plan as described in this article.
- Create a Microsoft Entra application.
- Create a data collection rule. Here's a sample ARM template for
kind:Direct. This type of DCR doesn't require a DCE since it includes alogsIngestionendpoint.myworkspaceis the name of your Log Analytics workspace.tablename_CLis the name of your table.columnsincludes the same columns you set in the creation of the table.{ "$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "dataCollectionRuleName": { "type": "string", "metadata": {"description": "Specifies the name of the data collection rule to create."} }, "___location": { "type": "string", "metadata": {"description": "Specifies the region in which to create the data collection rule. The must be the same region as the destination Log Analytics workspace."} }, "workspaceResourceId": { "type": "string", "metadata": {"description": "The Azure resource ID of the Log Analytics workspace in which you created a custom table with the Auxiliary plan."} } }, "resources": [ { "type": "Microsoft.Insights/dataCollectionRules", "name": "[parameters('dataCollectionRuleName')]", "___location": "[parameters('___location')]", "apiVersion": "2023-03-11", "kind": "Direct", "properties": { "streamDeclarations": { "Custom-tablename_CL": { "columns": [ {"name": "TimeGenerated", "type": "datetime"}, {"name": "StringProperty", "type": "string"}, {"name": "IntProperty", "type": "int"}, {"name": "LongProperty", "type": "long"}, {"name": "RealProperty", "type": "real"}, {"name": "BooleanProperty", "type": "boolean"}, {"name": "GuidProperty", "type": "guid"}, {"name": "DateTimeProperty", "type": "datetime"}] } }, "destinations": { "logAnalytics": [ {"workspaceResourceId": "[parameters('workspaceResourceId')]", "name": "myworkspace"}] }, "dataFlows": [ { "streams": ["Custom-table_name"], "transformKql": "source", "destinations": ["myworkspace"], "outputStream": "Custom-tablename-CL" }] } }], "outputs": { "dataCollectionRuleId": { "type": "string", "value": "[resourceId('Microsoft.Insights/dataCollectionRules', parameters('dataCollectionRuleName'))]" } } }
- Grant your application permission to use your DCR.
- Send data using sample code.
Warning
When ingesting logs into the Auxiliary tier of Azure Monitor, avoid submitting a single payload that contains TimeGenerated timestamps that span more than 30 minutes in one API call. This API call might lead to the following ingestion error code RecordsTimeRangeIsMoreThan30Minutes. This is a known limitation that's getting removed.
This restriction does not apply to Auxiliary logs that use transformations.