Managing Azure Monitor Logs in Azure CLI

Use the Azure CLI commands described here to manage your log analytics workspace in Azure Monitor.

Note

On August 31, 2024, Microsoft will retire the Log Analytics agent. You can use the Azure Monitor agent after that time. For more information, see Overview of Azure Monitor agents.

Prerequisites

  • Use the Bash environment in Azure Cloud Shell.

    Launch Cloud Shell in a new window

  • If you prefer, install the Azure CLI to run CLI reference commands.

    • If you're using a local installation, sign in to the Azure CLI by using the az login command. To finish the authentication process, follow the steps displayed in your terminal. For additional sign-in options, see Sign in with the Azure CLI.

    • When you're prompted, install Azure CLI extensions on first use. For more information about extensions, see Use extensions with the Azure CLI.

    • Run az version to find the version and dependent libraries that are installed. To upgrade to the latest version, run az upgrade.

Create a workspace for Monitor Logs

Run the az group create command to create a resource group or use an existing resource group. To create a workspace, use the az monitor log-analytics workspace create command.

az group create --name ContosoRG --location eastus2
az monitor log-analytics workspace create --resource-group ContosoRG \
   --workspace-name ContosoWorkspace

For more information about workspaces, see Azure Monitor Logs overview.

List tables in your workspace

Each workspace contains tables with columns that have multiple rows of data. Each table is defined by a unique set of columns of data provided by the data source.

To see the tables in your workspace, use the az monitor log-analytics workspace table list command:

az monitor log-analytics workspace table list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --output table

The output value table presents the results in a more readable format. For more information, see Output formatting.

To change the retention time for a table, run the az monitor log-analytics workspace table update command:

az monitor log-analytics workspace table update --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name Syslog --retention-time 45

The retention time is between 30 and 730 days.

For more information about tables, see Data structure.

Export data from selected tables

You can continuously export data from selected tables to an Azure storage account or Azure Event Hubs. Use the az monitor log-analytics workspace data-export create command:

az monitor log-analytics workspace data-export create --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name DataExport --table Syslog \
   --destination /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Storage/storageAccounts/exportaccount \
   --enable

To see your data exports, run the az monitor log-analytics workspace data-export list command.

az monitor log-analytics workspace data-export list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --output table

To delete a data export, run the az monitor log-analytics workspace data-export delete command. The --yes parameter skips confirmation.

az monitor log-analytics workspace data-export delete --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name DataExport --yes

For more information about data export, see Log Analytics workspace data export in Azure Monitor.

Manage a linked service

Linked services define a relation from the workspace to another Azure resource. Azure Monitor Logs and Azure resources use this connection in their operations. Example uses of linked services, including an automation account and a workspace association to customer-managed keys.

To create a linked service, run the az monitor log-analytics workspace linked-service create command:

az monitor log-analytics workspace linked-service create --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name linkedautomation \
   --resource-id /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Web/sites/ContosoWebApp09

az monitor log-analytics workspace linked-service list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace

To remove a linked service relation, run the az monitor log-analytics workspace linked-service delete command:

az monitor log-analytics workspace linked-service delete --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name linkedautomation

For more information, see az monitor log-analytics workspace linked-service.

Manage linked storage

If you provide and manage your own storage account for log analytics, you can manage it with these Azure CLI commands.

To link your workspace to a storage account, run the az monitor log-analytics workspace linked-storage create command:

az monitor log-analytics workspace linked-storage create --resource-group ContosoRG \
   --workspace-name ContosoWorkspace \
   --storage-accounts /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/ContosoRG/providers/Microsoft.Storage/storageAccounts/contosostorage \
   --type Alerts

az monitor log-analytics workspace linked-storage list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --output table

To remove the link to a storage account, run the az monitor log-analytics workspace linked-storage delete command:

az monitor log-analytics workspace linked-storage delete --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --type Alerts

For more information, see, Using customer-managed storage accounts in Azure Monitor Log Analytics.

Manage intelligence packs

To see the available intelligence packs, run the az monitor log-analytics workspace pack list command. The command also tells you whether the pack is enabled.

az monitor log-analytics workspace pack list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace

Use the az monitor log-analytics workspace pack enable or az monitor log-analytics workspace pack disable commands:

az monitor log-analytics workspace pack enable --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name NetFlow

az monitor log-analytics workspace pack disable --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name NetFlow

Manage saved searches

To create a saved search, run the az monitor log-analytics workspace saved-search command:

az monitor log-analytics workspace saved-search create --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name SavedSearch01 \
   --category "Log Management" --display-name SavedSearch01 \
   --saved-query "AzureActivity | summarize count() by bin(TimeGenerated, 1h)" --fa Function01 --fp "a:string = value"

View your saved search by using the az monitor log-analytics workspace saved-search show command. See all saved searches by using az monitor log-analytics workspace saved-search list.

az monitor log-analytics workspace saved-search show --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name SavedSearch01
az monitor log-analytics workspace saved-search list --resource-group ContosoRG \
   --workspace-name ContosoWorkspace

To delete a saved search, run the az monitor log-analytics workspace saved-search delete command:

az monitor log-analytics workspace saved-search delete --resource-group ContosoRG \
   --workspace-name ContosoWorkspace --name SavedSearch01 --yes

Clean up deployment

If you created a resource group to test these commands, you can remove the resource group and all its contents by using the az group delete command:

az group delete --name ContosoRG

If you want to remove a new workspace from an existing resource group, run the az monitor log-analytics workspace delete command:

az monitor log-analytics workspace delete --resource-group ContosoRG 
   --workspace-name ContosoWorkspace --yes

Log analytics workspaces have a soft delete option. You can recover a deleted workspace for two weeks after deletion. Run the az monitor log-analytics workspace recover command:

az monitor log-analytics workspace recover --resource-group ContosoRG 
   --workspace-name ContosoWorkspace

In the delete command, add the --force parameter to delete the workspace immediately.

Azure CLI commands used in this article

Next steps

Overview of Log Analytics in Azure Monitor