In this tutorial, you'll set a retention policy for a table in your Log Analytics workspace that you use for Microsoft Sentinel or Azure Monitor. These steps allow you to keep older, less used data in your workspace at a reduced cost.

Retention policies in a Log Analytics workspace define when to transition old records in data tables in the workspace to the low-cost, minimal-access long-term retention (formerly known as archive) state. By default, all tables in your workspace inherit the workspace's interactive retention setting and have no long-term retention (archive) policy. You can modify the interactive and long-term retention policies of individual tables, except for workspaces in the legacy Free Trial pricing tier.

In this tutorial, you learn how to:

[!div class="checklist"]

• Set the retention policy for a table
• Review interactive and long-term retention policies

To complete the steps in this tutorial, you must have the following resources and roles.

• Azure account with an active subscription. Create an account for free.

• Azure account with the following roles:

  Built-in Role	Scope	Reason
  Log Analytics Contributor	Any of Subscription Resource group Table	To set retention policy on tables in Log Analytics

• Log Analytics workspace.

In your Log Analytics workspace, change the interactive retention policy of the SecurityEvent table from the workspace default of 90 days to 180 days, and the total retention policy to 3 years. The total retention period is the sum of the interactive and long-term (archive) retention periods.

1. Sign in to the Azure portal.

2. In the Azure portal, search for and open Log Analytics workspaces.

3. Select the appropriate workspace.

4. Under Settings, select Tables.

5. Find the SecurityEvent table in the list, and open the context menu (...).

6. Select Manage table.

   :::image type="content" source="media/configure-data-retention/data-retention-tables.png" alt-text="Screenshot of the manage table option on the context menu for a table in the tables view.":::

7. Under Data retention settings, enter the following values.

   Field	Value
   Interactive retention	180 days
   Total retention period	3 years

   :::image type="content" source="media/configure-data-retention/data-retention-settings.png" alt-text="Screenshot of the data retention settings that shows the changes to the fields under the data retention section.":::

   See that the time graph shows that the long-term retention period equals the total retention period in days minus the interactive retention period in days. In this case, 915 days, or 2.5 years.

8. Select Save.

On the Tables page for the table you updated, review the field values for Interactive retention and Total retention.

:::image type="content" source="media/configure-data-retention/data-retention-archive-period.png" alt-text="Screenshot of the table view that shows the interactive retention and archive period columns.":::

No resources were created but you might want to restore the data retention settings you changed.

[!div class="nextstepaction"] Configure interactive and long-term data retention policies in Azure Monitor Logs