title | description | ms.topic | author | ms.author | ms.date | ms.reviewer |
---|---|---|---|---|---|---|
Create Log Analytics workspaces |
Learn how to create a Log Analytics workspace to enable management solutions and data collection from your cloud and on-premises environments. |
conceptual |
guywi-ms |
guywild |
07/02/2023 |
yossiy |
This article shows you how to create a Log Analytics workspace. When you collect logs and data, the information is stored in a workspace. A workspace has a unique workspace ID and resource ID. The workspace name must be unique for a given resource group. After you've created a workspace, configure data sources and solutions to store their data there.
You need a Log Analytics workspace if you collect data from:
- Azure resources in your subscription.
- On-premises computers monitored by System Center Operations Manager.
- Device collections from Configuration Manager.
- Diagnostics or log data from Azure Storage.
To create a Log Analytics workspace, you need an Azure account with an active subscription. You can create an account for free.
You need Microsoft.OperationalInsights/workspaces/write
permissions to the resource group where you want to create the Log Analytics workspace, as provided by the Log Analytics Contributor built-in role, for example.
Use the Log Analytics workspaces menu to create a workspace.
-
In the Azure portal, enter Log Analytics in the search box. As you begin typing, the list filters based on your input. Select Log Analytics workspaces.
:::image type="content" source="media/quick-create-workspace/azure-portal-01.png" alt-text="Screenshot that shows the search bar at the top of the Azure home screen. As you begin typing, the list of search results filters based on your input.":::
-
Select Add.
-
Select a Subscription from the dropdown.
-
Use an existing Resource Group or create a new one.
-
Provide a name for the new Log Analytics workspace, such as DefaultLAWorkspace. This name must be unique per resource group.
-
Select an available Region. For more information, see which regions Log Analytics is available in. Search for Azure Monitor in the Search for a product box.
:::image type="content" source="media/quick-create-workspace/create-workspace.png" alt-text="Screenshot that shows the boxes that need to be populated on the Basics tab of the Create Log Analytics workspace screen.":::
-
Select Review + Create to review the settings. Then select Create to create the workspace. A default pricing tier of pay-as-you-go is applied. No charges will be incurred until you start collecting enough data. For more information about other pricing tiers, see Log Analytics pricing details.
The following sample script creates a workspace with no data source configuration.
$ResourceGroup = <"my-resource-group">
$WorkspaceName = <"log-analytics-workspace-name">
$Location = <"westeurope">
# Create the resource group if needed
try {
Get-AzResourceGroup -Name $ResourceGroup -ErrorAction Stop
} catch {
New-AzResourceGroup -Name $ResourceGroup -Location $Location
}
# Create the workspace
New-AzOperationalInsightsWorkspace -Location $Location -Name $WorkspaceName -ResourceGroupName $ResourceGroup
Note
Log Analytics was previously called Operational Insights. The PowerShell cmdlets use Operational Insights in Log Analytics commands.
After you've created a workspace, configure a Log Analytics workspace in Azure Monitor by using PowerShell.
Run the az group create command to create a resource group or use an existing resource group. To create a workspace, use the az monitor log-analytics workspace create command.
az group create --name <myGroup> --location <myLocation>
az monitor log-analytics workspace create --resource-group <myGroup> \
--workspace-name <myWorkspace>
For more information about Azure Monitor Logs in Azure CLI, see Managing Azure Monitor Logs in Azure CLI.
The following sample uses Microsoft.OperationalInsights workspaces to create a Log Analytics workspace in Azure Monitor. For more information about Bicep, see Bicep overview.
[!INCLUDE azure-monitor-samples]
@description('Name of the workspace.')
param workspaceName string
@description('Pricing tier: PerGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers.')
@allowed([
'pergb2018'
'Free'
'Standalone'
'PerNode'
'Standard'
'Premium'
])
param sku string = 'pergb2018'
@description('Specifies the location for the workspace.')
param location string
@description('Number of days to retain data.')
param retentionInDays int = 120
@description('true to use resource or workspace permissions. false to require workspace permissions.')
param resourcePermissions bool
@description('Number of days to retain data in Heartbeat table.')
param heartbeatTableRetention int
resource workspace 'Microsoft.OperationalInsights/workspaces@2023-09-01' = {
name: workspaceName
location: location
properties: {
sku: {
name: sku
}
retentionInDays: retentionInDays
features: {
enableLogAccessUsingOnlyResourcePermissions: resourcePermissions
}
}
}
resource workspaceName_Heartbeat 'Microsoft.OperationalInsights/workspaces/tables@2022-10-01' = {
parent: workspace
name: 'Heartbeat'
properties: {
retentionInDays: heartbeatTableRetention
}
}
Note
If you specify a pricing tier of Free, then remove the retentionInDays element.
using './main.bicep'
param workspaceName = 'MyWorkspace'
param sku = 'pergb2018'
param location = 'eastus'
param retentionInDays = 120
param resourcePermissions = true
param heartbeatTableRetention = 30
The following sample uses the Microsoft.OperationalInsights workspaces template to create a Log Analytics workspace in Azure Monitor. For more information about Azure Resource Manager templates, see Azure Resource Manager templates.
[!INCLUDE azure-monitor-samples]
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"type": "string",
"metadata": {
"description": "Name of the workspace."
}
},
"sku": {
"type": "string",
"defaultValue": "pergb2018",
"allowedValues": [
"pergb2018",
"Free",
"Standalone",
"PerNode",
"Standard",
"Premium"
],
"metadata": {
"description": "Pricing tier: PerGB2018 or legacy tiers (Free, Standalone, PerNode, Standard or Premium) which are not available to all customers."
}
},
"location": {
"type": "string",
"metadata": {
"description": "Specifies the location for the workspace."
}
},
"retentionInDays": {
"type": "int",
"defaultValue": 120,
"metadata": {
"description": "Number of days to retain data."
}
},
"resourcePermissions": {
"type": "bool",
"metadata": {
"description": "true to use resource or workspace permissions. false to require workspace permissions."
}
},
"heartbeatTableRetention": {
"type": "int",
"metadata": {
"description": "Number of days to retain data in Heartbeat table."
}
}
},
"resources": [
{
"type": "Microsoft.OperationalInsights/workspaces",
"apiVersion": "2023-09-01",
"name": "[parameters('workspaceName')]",
"location": "[parameters('location')]",
"properties": {
"sku": {
"name": "[parameters('sku')]"
},
"retentionInDays": "[parameters('retentionInDays')]",
"features": {
"enableLogAccessUsingOnlyResourcePermissions": "[parameters('resourcePermissions')]"
}
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/tables",
"apiVersion": "2022-10-01",
"name": "[format('{0}/{1}', parameters('workspaceName'), 'Heartbeat')]",
"properties": {
"retentionInDays": "[parameters('heartbeatTableRetention')]"
},
"dependsOn": [
"workspace"
]
}
]
}
Note
If you specify a pricing tier of Free, then remove the retentionInDays element.
{
"$schema": "https://schema.management.azure.com/schemas/2019-08-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"sku": {
"value": "pergb2018"
},
"location": {
"value": "eastus"
},
"resourcePermissions": {
"value": true
},
"heartbeatTableRetention": {
"value": 30
}
}
}
When you create a workspace that was deleted in the last 14 days and in soft-delete state, the operation could have a different outcome depending on your workspace configuration:
-
If you provide the same workspace name, resource group, subscription, and region as in the deleted workspace, your workspace will be recovered including its data, configuration, and connected agents.
-
Workspace names must be unique for a resource group. If you use a workspace name that already exists, or is soft deleted, an error is returned. To permanently delete your soft-deleted name and create a new workspace with the same name, follow these steps:
- Recover your workspace.
- Permanently delete your workspace.
- Create a new workspace by using the same workspace name.
Now that you have a workspace available, you can configure collection of monitoring telemetry, run log searches to analyze that data, and add a management solution to provide more data and analytic insights. To learn more:
- See Monitor health of Log Analytics workspace in Azure Monitor to create alert rules to monitor the health of your workspace.
- See Collect Azure service logs and metrics for use in Log Analytics to enable data collection from Azure resources with Azure Diagnostics or Azure Storage.