![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 62%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
Hello Erwan,
Your file format is valid for Custom Text Logs via AMA, but Azure Monitor won’t automatically split Time=... Data1=... Data2=... into separate fields. For custom text logs, each log entry is typically ingested as a single string in the RawData column unless you parse it in a query or with a DCR transformation. Also, the file must be ASCII or UTF-8 (not UTF-16), and each new record should be appended on a new line.
start by querying it like this:
CustomTable_CL
| parse RawData with "Time=" EventTime " Data1=" Data1 " Data2=" Data2
| extend EventTime = todatetime(EventTime)
| project TimeGenerated, EventTime, Data1, Data2, RawData
Make sure the file is really saved as UTF-8 or ASCII. Azure Monitor text collection does not support UTF-16.
Make sure each event is on one line. For custom text logs, if Azure Monitor doesn’t detect a supported timestamp format for record splitting, it falls back to end-of-line as the delimiter.
Make sure new data is appended to the file, not overwritten.
If you want the fields to be stored as separate columns permanently, use a DCR transformation. Transformation output must match the destination table schema and must include TimeGenerated.