Data Collection Rules Operations¶
Data collection rules (DCRs) control what Azure Monitor Agent collects, how streams are transformed, and where the data lands. This runbook focuses on operational changes that keep DCR-based collection predictable and auditable.
flowchart TD
Source[VM or Arc server] --> AMA[Azure Monitor Agent]
AMA --> DCR[Data collection rule]
DCR --> Transform[Optional transformation]
Transform --> Destination[Log Analytics workspace]
DCR --> Association[Association object]Prerequisites¶
- Azure CLI authenticated with
az login. - Azure Monitor Agent installed on the target machine or scale set.
- A destination Log Analytics workspace already created.
- A DCR JSON file prepared for the intended streams.
- Permissions:
Monitoring Contributorfor DCR and association changes.Virtual Machine Contributoror equivalent when validating the target resource.
- Variables used below:
RG="rg-monitoring-prod" DCR_NAME="dcr-vm-perf" LOCATION="eastus" VM_ID="/subscriptions/<subscription-id>/resourceGroups/rg-prod/providers/Microsoft.Compute/virtualMachines/vm-prod-01" WORKSPACE_RESOURCE_ID="/subscriptions/<subscription-id>/resourceGroups/rg-monitoring-prod/providers/Microsoft.OperationalInsights/workspaces/law-ops-central" DCR_FILE="./docs/examples/dcr-vm-perf.json"
When to Use¶
- You need to onboard Azure Monitor Agent data collection to new servers.
- Performance counters, syslog, or event logs must change without redeploying the VM.
- A transformation is required to reduce ingestion volume or normalize records.
- Associations drifted after a rebuild or scale operation.
- Data stopped arriving and you need to validate the full DCR chain.
- You are splitting collection between production and non-production landing zones.
- You need to verify that only approved streams reach the shared workspace.
Procedure¶
Step 1: Inspect current DCR inventory and associations¶
List rules first so you know whether you are creating a new baseline or modifying an existing one.
az monitor data-collection rule list \
--resource-group $RG \
--query "[].{name:name,location:location,kind:kind,dataFlows:length(properties.dataFlows)}" \
--output table
az monitor data-collection rule association list-by-resource \
--resource $VM_ID \
--query "[].{name:name,ruleId:properties.dataCollectionRuleId}" \
--output table
Name RuleId
---------------------- -----------------------------------------------------------------------------------------------
dcr-assoc-vm-prod-01 /subscriptions/<subscription-id>/resourceGroups/rg-monitoring-prod/providers/Microsoft.Insights/dataCollectionRules/dcr-vm-perf
Step 2: Create or update the data collection rule from JSON¶
Create the rule from a checked-in JSON file so that the configuration stays reviewable and repeatable.
az monitor data-collection rule create \
--name $DCR_NAME \
--resource-group $RG \
--location $LOCATION \
--rule-file $DCR_FILE \
--output json
{
"id": "/subscriptions/<subscription-id>/resourceGroups/rg-monitoring-prod/providers/Microsoft.Insights/dataCollectionRules/dcr-vm-perf",
"location": "eastus",
"name": "dcr-vm-perf",
"provisioningState": "Succeeded"
}
az monitor data-collection rule update \
--name $DCR_NAME \
--resource-group $RG \
--rule-file $DCR_FILE \
--output json
Step 3: Review streams, destinations, and transformations¶
Read back the rule after creation so you confirm the intended streams rather than trusting the local file alone.
az monitor data-collection rule show \
--name $DCR_NAME \
--resource-group $RG \
--query "{streams:properties.dataFlows[].streams,destinations:properties.destinations.logAnalytics[].workspaceResourceId,dataSources:keys(properties.dataSources)}" \
--output json
{
"dataSources": [
"performanceCounters"
],
"destinations": [
"/subscriptions/<subscription-id>/resourceGroups/rg-monitoring-prod/providers/Microsoft.OperationalInsights/workspaces/law-ops-central"
],
"streams": [
[
"Microsoft-Perf"
]
]
}
Step 4: Associate the DCR with the target resource¶
Association is a separate object. A valid DCR without an association will not collect anything from the VM.
az monitor data-collection rule association create \
--name "dcr-assoc-vm-prod-01" \
--resource $VM_ID \
--rule-id "/subscriptions/<subscription-id>/resourceGroups/rg-monitoring-prod/providers/Microsoft.Insights/dataCollectionRules/dcr-vm-perf" \
--output json
{
"id": "/subscriptions/<subscription-id>/resourceGroups/rg-prod/providers/Microsoft.Compute/virtualMachines/vm-prod-01/providers/Microsoft.Insights/dataCollectionRuleAssociations/dcr-assoc-vm-prod-01",
"name": "dcr-assoc-vm-prod-01",
"properties": {
"dataCollectionRuleId": "/subscriptions/<subscription-id>/resourceGroups/rg-monitoring-prod/providers/Microsoft.Insights/dataCollectionRules/dcr-vm-perf"
}
}
az monitor data-collection rule association show \
--name "dcr-assoc-vm-prod-01" \
--resource $VM_ID \
--query "{name:name,ruleId:properties.dataCollectionRuleId}" \
--output json
{
"name": "dcr-assoc-vm-prod-01",
"ruleId": "/subscriptions/<subscription-id>/resourceGroups/rg-monitoring-prod/providers/Microsoft.Insights/dataCollectionRules/dcr-vm-perf"
}
Step 5: Validate data arrival in the workspace¶
After the association is in place, confirm that the destination workspace receives the expected stream.
az monitor log-analytics query \
--workspace $WORKSPACE_RESOURCE_ID \
--analytics-query "Perf | where Computer == 'vm-prod-01' and TimeGenerated > ago(30m) | summarize Samples=count() by ObjectName, CounterName | top 10 by Samples desc" \
--output table
ObjectName CounterName Samples
------------ ----------------------------- -------
Processor % Processor Time 36
Memory Available MBytes 36
LogicalDisk % Free Space 36
Verification¶
List all DCR associations on the target resource:
az monitor data-collection rule association list-by-resource \
--resource $VM_ID \
--query "[].{name:name,ruleId:properties.dataCollectionRuleId}" \
--output table
Name RuleId
---------------------- -----------------------------------------------------------------------------------------------
dcr-assoc-vm-prod-01 /subscriptions/<subscription-id>/resourceGroups/rg-monitoring-prod/providers/Microsoft.Insights/dataCollectionRules/dcr-vm-perf
az monitor data-collection rule show \
--name $DCR_NAME \
--resource-group $RG \
--query "{name:name,location:location,provisioningState:provisioningState}" \
--output json
az vm extension list \
--ids $VM_ID \
--query "[].{name:name,publisher:publisher,type:type,provisioningState:provisioningState}" \
--output table
Name Publisher Type ProvisioningState
----------------------------- --------------------------- ------------------------ -----------------
AzureMonitorLinuxAgent Microsoft.Azure.Monitor AzureMonitorLinuxAgent Succeeded
Rollback / Troubleshooting¶
Remove an incorrect association:
az monitor data-collection rule association delete \
--name "dcr-assoc-vm-prod-01" \
--resource $VM_ID
Perf - Verify Azure Monitor Agent is installed and healthy on the VM. - Association exists but still no data - Confirm the DCR region and the machine region are supported for the chosen stream. - Rule update fails - Validate the JSON schema and stream names against Microsoft Learn DCR structure guidance. - Unexpected ingestion growth - Reduce sampled counters or add transformations to narrow the stream. - Transform output is not what you expected - Re-read properties.dataFlows and check the destination table mapping in the JSON file. - Multiple DCRs appear to overlap - Audit all associations on the resource and confirm which rule owns each stream. Automation¶
DCR operations should live in source control because JSON drift is difficult to review in the portal.
az monitor data-collection rule list \
--query "[].{name:name,resourceGroup:resourceGroup,location:location}" \
--output json
See Also¶
- Operations index
- Workspace Management
- Diagnostic Settings
- Export and Integration
- Cost Control
- Service guide: VM observability
- Reference CLI cheatsheet
- Troubleshooting KQL query packs