通过 Azure Monitor 日志查询创建图表和关系图Creating charts and diagrams from Azure Monitor log queries

备注

在完成本课程之前,应先完成 Azure Monitor 日志查询中的高级聚合You should complete Advanced aggregations in Azure Monitor log queries before completing this lesson.

备注

可以在自己的 Log Analytics 环境中完成此练习,也可以使用我们的演示环境,其中包含大量样本数据。You can work through this exercise in your own Log Analytics environment, or you can use our Demo environment, which includes plenty of sample data.

本文介绍在 Azure Monitor 中以不同的方式显示日志数据时的各种可视化效果。This article describes various visualizations in Azure Monitor to display your log data in different ways.

绘制结果图表Charting the results

首先查看在过去 1 小时内,每个操作系统占用了多少台计算机:Start by reviewing how many computers there are per operating system, during the past hour:

Heartbeat
| where TimeGenerated > ago(1h)
| summarize count(Computer) by OSType  

默认情况下,以表形式显示结果:By default, results display as a table:

表

要优化视图效果,请选择“图表”,然后选择“饼图”选项以直观显示结果 :To get a better view, select Chart, and choose the Pie option to visualize the results:

饼图

时间图表Timecharts

显示处理器时间的平均值、第 50 位百分值和第 95 位百分位值(按 1 小时的箱数计)。Show the average, 50th and 95th percentiles of processor time in bins of 1 hour. 查询将生成多个序列,然后你可选择要在时间图表中显示的序列:The query generates multiple series and you can then select which series to show in the time chart:

Perf
| where TimeGenerated > ago(1d) 
| where CounterName == "% Processor Time" 
| summarize avg(CounterValue), percentiles(CounterValue, 50, 95)  by bin(TimeGenerated, 1h)

选择“折线图”显示选项 :Select the Line chart display option:

折线图

参考线Reference line

参考线可帮助你轻松识别指标是否超出特定阈值。A reference line can help you easily identifying if the metric exceeded a specific threshold. 要向图表添加一行,请用常数列扩展数据集:To add a line to a chart, extend the dataset with a constant column:

Perf
| where TimeGenerated > ago(1d) 
| where CounterName == "% Processor Time" 
| summarize avg(CounterValue), percentiles(CounterValue, 50, 95)  by bin(TimeGenerated, 1h)
| extend Threshold = 20

参考线

多个维度Multiple dimensions

summarizeby 字句中的多个表达式在结果中创建多个行,每个值组合对应一行。Multiple expressions in the by clause of summarize create multiple rows in the results, one for each combination of values.

SecurityEvent
| where TimeGenerated > ago(1d)
| summarize count() by tostring(EventID), AccountType, bin(TimeGenerated, 1h)

将结果看作图表时,它使用 by 子句的第一列。When you view the results as a chart, it uses the first column from the by clause. 以下示例演示使用 EventID. 的堆积柱形图 。The following example shows a stacked column chart using the EventID. 维度必须为 string 类型,因此在本例中,EventID 要强制转换为字符串 。Dimensions must be of string type, so in this example the EventID is being cast to string.

条形图 EventID

可选择列名下拉列表切换查看不同列名。You can switch between by selecting the dropdown with the column name.

条形图 AccountType

后续步骤Next steps

请参阅有关将 Kusto 查询语言与 Azure Monitor 日志数据配合使用的其他课程:See other lessons for using the Kusto query language with Azure Monitor log data: