A little trick to help with Aux Logs and DCRs

If you’ve tried using the default instruction for creating a DCR, you might have experienced a few issues. Some people might have missed this one bullet point in the documentation regarding DCRs with aux logs.

“If you use this method, your custom table must only have two columns - TimeGenerated and RawData (of type string). The data collection rule sends the entirety of each log entry you collect to the RawData column, and Azure Monitor Logs automatically populates the TimeGenerated column with the time the log is ingested.”

That’s right. You can only have two columns when you use a DCR with aux log – the date and everything else gets pushed into RawData.

The instructions on how to create an aux log table can be found here. You can create them with a nice GUI interface here.

It can be confusing because the json sample on the page needs to be edited for things to work properly. The sample json includes several columns that aren’t needed (meaning anything besides TimeGenerated and RawData)

Paste this json into the gui in the graph and you should be good.

{

"properties": {

"schema": {

"name": "YOURTABLENAME_CL",

"columns": [

{

"name": "TimeGenerated",

"type": "datetime"

},

{

"name": "RawData",

"type": "string"

},

]

},

"totalRetentionInDays": 365,

"plan": "Auxiliary"

}

}

---