Skip to content

Search

Warning

Both Search and Restore have a cost associated with them. As of February 12th, 2025 in the West US 2 region pricing looks like this:

  • Search: $0.005 per GB of data scanned
  • Restore: $0.10 per GB per day with a 2 TB, 12 hour minimum.
    • With that 2 TB minimum a restore starts at $102.40 for half a day. Querying that restored info is free however.

Please be aware of the cost of the actions you are taking in Search and Restore. You can view the official Microsoft pricing page here, it contains numerous links to documentation. The information provided below is purely informational.

If you are retaining data for long periods of time, you may need to restore data in order to work on an investigation. Depending on how you ingested data determines when you might need to run a search job to restore data.

The below table contains the max possible retention periods, your environment may have a lower retention then the max. Generally a search job is for when data has left the interactive retention period.

Table type Max Interactive Retention Max Retention
Analytics 2 years 12 years
Basic 30 days 12 years
Auxiliary 30 days 365 days

Max search is 7 years apparently?

Running a search job

You can see detailed instructions from Microsoft here but basically you will want to follow these steps.

  1. Come to the Search page.
  2. Below the search box select the Table you wish to search. You can only search one Table at a time.
  3. Now put in a search string. You can customize this later, but generally you want to put in a full string, not a partial string. For example put johnsmith@contoso.com, not johnsmith@conto.
  4. Once you hit run, a query window will show up, this gives you an opportunity to preview the type of data you are looking for. You should end up with a query like this: 
    SigninLogs
| where * has 'johnsmith@contoso.com'
    1. Refine the query till you find the type of data you are looking for. Again this is for historical searches, you will not see the data you are necessarily looking for yet.
  5. After you have your query ready, click the three dots in the top right-hand corner and toggle the Search job mode. Note that the time range has changed, but you will want to specify the time range for the data you want the search job to run against.
  6. Now click Search job in the top-left and specify the table you wish to create. The table will have the suffix _SRCH, so MySearchJob_SRCH as an example.

Tips

You do not need to wait for the job to complete, you can close the window and return to the Search page to see the status of your search job.

Once complete the raw table will have the a TimeGenerated column which contains the time the search found the data, the _OriginalTimeGenerated column contains the TimeGenerated stamp from the original record. From the search results you can click View results in Log analytics at the bottom left, you will be provided a query that renames the TimeGenerated column to appear how it originally was stored.

Restores

At this time I am not covering the restore process, please review the documentation here and consider the cost implications. I have seen it said this is only for P1 incident where the cost is not a factor.