在 Azure Monitor 日志查询中使用函数Using functions in Azure Monitor log queries

若要将某个日志查询用于其他查询,可以将其保存为函数。To use a log query with another query you can save it as a function. 这使你能够通过分解复杂查询将其简化,并能够对多个查询重用通用代码。This allows you to simplify complex queries by breaking them into parts and allows you to reuse common code with multiple queries.

创建函数Create a function

在 Azure 门户中单击“保存”,然后提供下表中的信息,使用 Log Analytics 创建函数。Create a function with Log Analytics in the Azure portal by clicking Save and then providing the information in the following table.

设置Setting 描述Description
名称Name 查询资源管理器中查询的显示名称。Display name for the query in Query explorer.
另存为Save as 函数Function
函数别名Function Alias 在其他查询中使用该函数的短名称。Short name to use the function in other queries. 不可包含空格,必须唯一。May not contain spaces and must be unique.
类别Category 用于在查询资源管理器中整理已保存的查询和函数的类别。A category to organize saved queries and functions in Query explorer.

使用函数Use a function

通过在另一个查询中添加其别名来使用函数。Use a function by including its alias in another query. 可以像使用其他任何表一样使用它。It can be used like any other table.

函数参数Function parameters

可以为函数添加参数,以便在调用该函数时为某些变量提供值。You can add parameters to a function so that you can provide values for certain variables when calling it. 目前使用参数创建函数的唯一方法是使用资源管理器模板。The only way to currently create a function with parameters is using a Resource Manager template. 有关示例,请参阅用于 Azure Monitor 日志查询的资源管理器模板示例See Resource Manager template samples for log queries in Azure Monitor for an example.

示例Example

以下示例查询将返回最近一天报告的所有缺失的安全更新。The following sample query returns all missing security updates reported in the last day. 使用别名 security_updates_last_day 将此查询另存为函数。Save this query as a function with the alias security_updates_last_day.

Update
| where TimeGenerated > ago(1d) 
| where Classification == "Security Updates" 
| where UpdateState == "Needed"

创建另一个查询并引用 security_updates_last_day 函数,以搜索 SQL 相关的必需安全更新。Create another query and reference the security_updates_last_day function to search for SQL-related needed security updates.

security_updates_last_day | where Title contains "SQL"

后续步骤Next steps

参阅有关编写 Azure Monitor 日志查询的其他课:See other lessons for writing Azure Monitor log queries: