Previously ingesting data into an Azure Log Analytics Log Table could be done without the need for a DCR (Data Collection Rule) or indeed a DCE (Data Collection Endpoint). In fact, this stack overflow post covers this powershell-script-for-azure-function-to-post-to-a-log-analytics.

Microsoft have changed how this works and so if one creates a modern Log Table and point the code detail in the linked article, the data is simply dropped. (The console output looks successful. However, there is no data ingested…simple KQL query against the log table confirms this)

The first problem being faced is to create a DCR that ingest data via the REST API and direct it to the requisite log table. In this instance there is no need for a DCE.

This is the code being used to create the DCR, which fails:

$DCRContent = @"
{
  "location": "westeurope",
  "properties": {
    "dataSources": {
      "logsIngestion": [
        {
          "name": "RestApiSource",
          "streams": ["<Custom Table Name>"],
          "settings": {
            "endpoint": "https://<workspace ID>.ods.opinsights.azure.com/api/logs?api-version=2023-01-01",
            "method": "POST",
            "headers": {
              "Content-Type": "application/json"
            }
          }
        }
      ]
    },
    "destinations": {
      "logAnalytics": [
        {
          "workspaceResourceId": "/subscriptions/<Subscription ID>/resourceGroups/<ResourceGroupName>/providers/Microsoft.OperationalInsights/workspaces/<Workspace Name>"
        }
      ]
    },
    "transformations": [
      {
        "name": "Transformation1",
        "inputs": ["RestApiSource"],
        "outputs": ["<Custom Table Name>"],
        "query": "SELECT * FROM RestApiSource"
      }
    ]
  }
}
"@
$ResourceGroupName = $Workspace.Rg
$DCRName = "<DCR Name>"
$Location = "westeurope"

New-AzResource -ResourceGroupName $ResourceGroupName -ResourceType "Microsoft.Insights/dataCollectionRules" -ResourceName $DCRName -Location $Location -Properties $DCRContent

This is the error message:

New-AzResource : InvalidPayload : Data collection rule is invalid
CorrelationId: 1fcde55d-6770-48c7-b649-822eca399203
At line:47 char:1
+ New-AzResource -ResourceGroupName $ResourceGroupName -ResourceType "M ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (:) [New-AzResource], ErrorResponseMessageException
    + FullyQualifiedErrorId : Microsoft.Azure.Commands.ResourceManager.Cmdlets.Implementation.NewAzureResourceCmdlet