Event Table transformation in log analytics

Question

Hi All,
I have an Event table in my Log Analytics workspace that is being populated with data from a virtual machine using a Data Collection Rule (DCR). In the DCR, I am collecting both audit success and failure logs. However, this data is causing the Log Analytics storage usage to increase significantly.

I am looking for a way to transform the Event table without creating a new DCR. I have tried several approaches, but every time I attempt to transform the Event table, it ends up creating a new DCR.

I also tried using the logic of manually adding an XPath query, and while that works, it does not allow me to select both audit success and failure settings in the Data Collection pane.

My goal is to collect all audit success and failure logs but only store the required data in the Event table.

Answer 1

Hi,

If you want to do data transformation the only way is to create new data collection rule. The data collection rule for data transformation basically is the last data collection rule that will be processed after all others like the one you are using to collect events. That is just how this functionality for Log Analytics works. If you just want to filter the events more just edit the existing data collection rule. Nothing stops if you cannot do the correct data collection with one rule to have two or more rules. The idea of DCRs is not to be limited to have one data collection rule that collects everything that you want, it is quite the opposite as it's main idea is to divide different logs and filters into separate data collection rules and apply them only to the machines that you want.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.