This blog will demonstrate how you can do workspace transformation to support legacy data transformation where data is being uploaded by legacy methods.
You cannot do a workspace transformation, if the sources sending data is coming from Azure Monitor Agent or Log Ingestion API – only legacy agent/solution (MMA) and legacy HTTP Data Collector API
This blog-post is part of a series of blog posts to master Azure logging in depth (overview).
To get you started, you can find ARM-templates & scripts in my AzureLogLibrary (github). Details will be covered in the articles.
Quick Links
Data transformation
How to setup in GUI ?
Real-life example of workspace transformation
More information (Microsoft)
Data Transformation
If you want to read about the data transformation capabilities, please read more here
Currently, Microsoft supports doing transformation using 4 methods:
| Collection source | How | Purpose / limitatations |
|---|---|---|
| XPath | XML syntax in DCR | XPath implementation uses v1, which is very limited in functionality. |
| MMA-agent / Solutions (legacy): Performance Eventlog Syslog API (legacy): HTTP Data Collector API | Workspace transformation DCR | Only one transformation per table |
| All sources sending in using AMA | AMA transformation DCR | All DCRs do unions, so be aware of double data. Governance is important |
| REST API using Log ingestion API | Log Ingestion transformation DCR |
You cannot do a workspace transformation, if the sources sending data is coming from Azure Monitor Agent or Log Ingestion API – only legacy agent/solution (MMA) and legacy HTTP Data Collector API
How to setup in GUI ?
You can setup a workspace transformation in the GUI on the table.
You can find the transformation inside the Data Collection Rule. It is important to choose the newest API version (2022-06-01) in the right corner.
Real-life example of workspace transformation
Here is an example where I did a workspace transformation removing Syslog events with specific patterns. As you can see, the results were a significant decrease.
Of course there is a trade-off, which must be considered. There are always 2 sides of the coin – will I miss the data at some point !
source
| where (DeviceVendor !contains "sonicwall") or ((DeviceVendor contains "sonicwall") and (Activity contains "connection opened" or Activity contains "connection closed") and (Protocol != "udp/dns"))
More information (Microsoft)
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-workspace-transformations-portal
1 thought on “How to do data transformation using Workspace transformation for legacy upload methods”