I am retrieving sign in and activity audit logging from 3 source systems with 3 different scripts, one for each system, and preparing to send them to a custom log in Azure Monitor.

I know that once in Azure Monitor I will be writing queries and having to join or union the 3 datasets, so my questions are;

• Should I try normalise the fields, and add all three logs into a single Azure Monitor log table?
• Should I keep them in 3 separate tables and use "join" commands to bring them together?

I remember in Filebeat, it would hold many different log sources in the one index (table), and so wondering if i should do the same here in Azure?