How to do data transformation using Workspace transformation for legacy upload methods

This blog will demonstrate how you can do workspace transformation to support legacy data transformation where data is being uploaded by legacy methods.

You cannot do a workspace transformation, if the sources sending data is coming from Azure Monitor Agent or Log Ingestion API – only legacy agent/solution (MMA) and legacy HTTP Data Collector API

This blog-post is part of a series of blog posts to master Azure logging in depth (overview).

To get you started, you can find ARM-templates & scripts in my AzureLogLibrary (github). Details will be covered in the articles.


Quick Links

Data transformation
How to setup in GUI ?
Real-life example of workspace transformation
More information (Microsoft)

Data Transformation

If you want to read about the data transformation capabilities, please read more here

Currently, Microsoft supports doing transformation using 4 methods:

Collection sourceHowPurpose / limitatations
XPathXML syntax in DCRXPath implementation uses v1, which is very limited in functionality.
MMA-agent / Solutions (legacy):
Performance
Eventlog
Syslog

API (legacy):
HTTP Data Collector API
Workspace transformation DCROnly one transformation per table
All sources sending in using AMAAMA transformation DCRAll DCRs do unions, so be aware of double data. Governance is important
REST API using Log ingestion APILog Ingestion transformation DCR

You cannot do a workspace transformation, if the sources sending data is coming from Azure Monitor Agent or Log Ingestion API – only legacy agent/solution (MMA) and legacy HTTP Data Collector API

How to setup in GUI ?

You can setup a workspace transformation in the GUI on the table.

You can find the transformation inside the Data Collection Rule. It is important to choose the newest API version (2022-06-01) in the right corner.


Real-life example of workspace transformation

Here is an example where I did a workspace transformation removing Syslog events with specific patterns. As you can see, the results were a significant decrease.

Of course there is a trade-off, which must be considered. There are always 2 sides of the coin – will I miss the data at some point !

source
| where (DeviceVendor !contains "sonicwall") or ((DeviceVendor contains "sonicwall") and (Activity contains "connection opened" or Activity contains "connection closed") and (Protocol != "udp/dns"))



More information (Microsoft)

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-workspace-transformations-portal

1 thought on “How to do data transformation using Workspace transformation for legacy upload methods”

Leave a Reply