Purge Old Azure Log Analytics Ingested Data

This article is based on Microsoft document:

Assuming you have a Log Analytics workspace in a resource group, you can call the API url:

POST https://management.azure.com/subscriptions/your-subsc-ription-id/resourceGroups/yor-resource-group-rg/providers/Microsoft.OperationalInsights/workspaces/your-log-analytics-name/purge?api-version=2020-08-01

You need to pass Authorization as Bearer token in the header.

The body of the POST request will contain a filter and a table like this:

{
  "table": "Heartbeat",
  "filters": [
    {
      "column": "TimeGenerated",
      "operator": "<",
      "value": "2021-10-09T00:00:00"
    }
  ]
}

The response will have a header like

x-ms-status-location: https://management.azure.com/subscriptions/{subscriptioId}/resourceGroups/{resourceGroupName}/providers/microsoft.operationalinsights/workspaces/{workspaceName}/operations/purge-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx?api-version=2017-01-01-preview

This is a GET url to send and see the status of the operation. This Url is also given as the body of the first POST request.

The status will be something like:

{
    "status": "pending"
}

Tip: You can find the records to delete using a simple query like this:

W3CIISLog 
| where TimeGenerated > ago(32d)
| summarize count() by bin(TimeGenerated, 1d)


Heartbeat 
| where TimeGenerated > ago(32d)
| summarize count() by bin(TimeGenerated, 1d)

Author: Pouya Panahy

Microsoft certified DevOps engineer with passion in analysing, designing and implementing solutions for Azure Cloud with hands-on experience in security and quality assurence.

Leave a Reply