Azure Monitor 中的 Log Analytics 入门Get started with Log Analytics in Azure Monitor


可以在自己的 Log Analytics 环境中完成此练习,也可以使用我们的演示环境,其中包含大量样本数据。You can work through this exercise in your own Log Analytics environment, or you can use our Demo environment, which includes plenty of sample data.

本教程介绍如何在 Azure 门户中使用 Log Analytics 来编写 Azure Monitor 日志查询。In this tutorial you will learn how to use Log Analytics in the Azure portal to write Azure Monitor log queries. 具体内容包括:It will teach you how to:

  • 使用 Log Analytics 编写一个简单查询Use Log Analytics to write a simple query
  • 了解数据的架构Understand the schema of your data
  • 筛选、排序和分组结果Filter, sort, and group results
  • 应用时间范围Apply a time range
  • 创建图表Create charts
  • 保存和加载查询Save and load queries
  • 导出和共享查询Export and share queries

有关编写日志查询的教程,请参阅 Azure Monitor 中的日志查询入门For a tutorial on writing log queries, see Get started with log queries in Azure Monitor.
有关日志查询的详细信息,请参阅 Azure Monitor 中的日志查询概述For more details on log queries, see Overview of log queries in Azure Monitor.

了解 Log AnalyticsMeet Log Analytics

Log Analytics 是用来编写和执行 Azure Monitor 日志查询的 Web 工具。Log Analytics is a web tool used to write and execute Azure Monitor log queries. 可以通过在 Azure Monitor 菜单中选择“日志”来将其打开。 Open it by selecting Logs in the Azure Monitor menu. 它将启动并显示一个新的空白查询。It starts with a new blank query.


防火墙要求Firewall requirements

若要使用 Log Analytics,浏览器需要访问以下地址。To use Log Analytics, your browser requires access to the following addresses. 如果浏览器通过防火墙访问 Azure 门户,则必须允许访问这些地址。If your browser is accessing the Azure portal through a firewall, you must enable access to these addresses.

UriUri IPIP 端口Ports 动态Dynamic 80,44380,443 动态Dynamic 80,44380,443 动态Dynamic 80,44380,443

基本查询Basic queries

查询可用于搜索字词、识别趋势、分析模式,以及基于数据提供其他许多见解。Queries can be used to search terms, identify trends, analyze patterns, and provide many other insights based on your data. 从基本查询着手:Start with a basic query:

Event | search "error"

此查询在 Event 表中搜索任何属性中包含词语“error”的记录。This query searches the Event table for records that contain the term "error" in any property.

查询可以从表名或 search 命令开始。Queries can start with either a table name or a search command. 上面的示例从定义查询范围的表名 Event 开始。The above example starts with the table name Event, which defines the scope of the query. 竖线 (|) 字符分隔命令,第一个命令的输出是后一个命令的输入。The pipe (|) character separates commands, so the output of the first one in the input of the following command. 可在单个查询中添加任意数目的命令。You can add any number of commands to a single query.

编写同一查询的另一种方法是:Another way to write that same query would be:

search in (Event) "error"

在此示例中,search 的范围限定为 Event 表,将在该表中搜索包含词语“error”的所有记录。In this example, search is scoped to the Event table, and all records in that table are searched for the term "error".

运行查询Running a query

通过单击“运行”按钮或按 Shift+Enter 来运行查询。Run a query by clicking the Run button or pressing Shift+Enter. 请注意以下详细信息,其中确定了要运行的代码以及返回的数据:Consider the following details which determine the code that will be run and the data that's returned:

  • 换行符:使用单个换行符可让查询更易于阅读。Line breaks: A single break makes your query easier to read. 使用多个换行符会将查询拆分为多个独立的查询。Multiple line breaks split it into separate queries.
  • 游标:将游标置于查询中的某个位置以执行它。Cursor: Place your cursor somewhere inside the query to execute it. 当前查询被视为空行之前的代码。The current query is considered to be the code up until a blank line is found.
  • 时间范围 - 默认设置的时间范围为过去 24 小时。 Time range - A time range of last 24 hours is set by default. 若要使用不同的范围,请使用时间选取器,或者在查询中添加明确的时间范围筛选器。To use a different range, use the time-picker or add an explicit time range filter to your query.

了解架构Understand the schema

架构是直观分组到某个逻辑类别下的表集合。The schema is a collection of tables visually grouped under a logical category. 有多个类别来自监视解决方案。Several of the categories are from monitoring solutions. LogManagement 类别包含公用数据,例如 Windows 和 Syslog 事件、性能数据和客户端检测信号。The LogManagement category contains common data such as Windows and Syslog events, performance data, and client heartbeats.


在每个表中,数据组织成具有不同数据类型的列。数据类型由列名旁边的图标指示。In each table, data is organized in columns with different data types as indicated by icons next to the column name. 例如,屏幕截图中显示的 Event 表包含文本类型的 Computer、数字类型的 EventCategory 和日期/时间类型的 TimeGenerated 等列。For example, the Event table shown in the screenshot contains columns such as Computer which is text, EventCategory which is a number, and TimeGenerated which is date/time.

筛选结果Filter the results

首先获取 Event 表中的所有内容。Start by getting everything in the Event table.


Log Analytics 会按以下依据自动限定结果的范围:Log analytics automatically scopes results by:

  • 时间范围:默认情况下,查询限制为过去 24 小时。Time range: By default, queries are limited to the last 24 hours.
  • 结果数:结果数限制为最多 10,000 条记录。Number of results: Results are limited to maximum of 10,000 records.

此查询的范围太泛,它返回了过多的结果,因此不太实用。This query is very general, and it returns too many results to be useful. 可以通过表元素或者在查询中显式添加筛选器来筛选结果。You can filter the results either through the table elements, or by explicitly adding a filter to the query. 通过表元素筛选结果的方法适用于现有结果集,而在查询本身中添加的筛选器会返回新的筛选结果集,因此可以生成更准确的结果。Filtering results through the table elements applies to the existing result set, while a filter to the query itself will return a new filtered result set and could therefore produce more accurate results.

将筛选器添加到查询Add a filter to the query

每条记录的左侧有一个箭头。There is an arrow to the left of each record. 单击此箭头可以打开特定记录的详细信息。Click this arrow to open the details for a specific record.

将鼠标悬停在列名上会显示“+”和“-”图标。Hover above a column name for the "+" and "-" icons to display. 若要添加筛选器以便仅返回具有相同值的记录,请单击“+”号。To add a filter that will return only records with the same value, click the "+" sign. 单击“-”排除具有此值的记录,然后单击“运行”以再次运行查询。Click "-" to exclude records with this value and then click Run to run the query again.


通过表元素筛选Filter through the table elements

现在,让我们关注严重性为 Error 的事件。Now let's focus on events with a severity of Error. 名为 EventLevelName 的列中指定了严重性。This is specified in a column named EventLevelName. 需要向右滚动才能看到此列。You'll need to scroll to the right to see this column.

单击列标题旁边的“筛选”图标,然后在弹出窗口中选择以文本 error 开头的值:Click the Filter icon next to the column title, and in the pop-up window select values that Starts with the text error:


排序和分组结果Sort and group results

现在,结果的范围已缩小,只包括过去 24 小时在 SQL Server 中创建的“错误”事件。The results are now narrowed down to include only error events from SQL Server, created in the last 24 hours. 但是,结果未进行任何形式的排序。However, the results are not sorted in any way. 若要按特定的列(例如 timestamp)将结果排序,请单击列标题。To sort the results by a specific column, such as timestamp for example, click the column title. 单击一下会按升序排序,再单击一下会按降序排序。One click sorts in ascending order while a second click will sort in descending.


还可以按组来组织结果。Another way to organize results is by groups. 若要按特定的列来分组结果,只需将该列标题拖放到其他列的上方即可。To group results by a specific column, simply drag the column header above the other columns. 若要创建子组,请同时将其他列拖放到上部栏中。To create subgroups, drag other columns the upper bar as well.


选择要显示的列Select columns to display

结果表通常包含大量的列。The results table often includes a lot of columns. 你可能发现,某些返回的列默认未显示,或者,你可能想要删除显示的某些列。You might find that some of the returned columns are not displayed by default, or you may want to remove some the columns that are displayed. 若要选择要显示的列,请单击“列”按钮:To select the columns to show, click the Columns button:


选择时间范围Select a time range

默认情况下,Log Analytics 应用“过去 24 小时”时间范围。By default, log analytics applies the last 24 hours time range. 若要使用不同的范围,请通过时间选取器选择另一个值,然后单击“运行”。To use a different range, select another value through the time picker and click Run. 除预设值以外,还可以使用“自定义时间范围”选项来选择查询的绝对范围。In addition to the preset values, you can use the Custom time range option to select an absolute range for your query.


选择自定义时间范围时,所选值采用 UTC 格式,这可能不同于你的本地时区。When selecting a custom time range, the selected values are in UTC, which could be different than your local time zone.

如果查询显式包含 TimeGenerated 的筛选器,则时间选取器标题中会显示“在查询中设置”。If the query explicitly contains a filter for TimeGenerated, the time picker title will show Set in query. 将禁用手动选择,以防止冲突。Manual selection will be disabled to prevent a conflict.


除了在表中返回结果以外,还会以可视格式显示查询结果。In addition to returning results in a table, query results can be presented in visual formats. 使用以下查询作为示例:Use the following query as an example:

| where EventLevelName == "Error" 
| where TimeGenerated > ago(1d) 
| summarize count() by Source 

默认会在表中显示结果。By default, results are displayed in a table. 单击“图表”可在图形视图中查看结果:Click Chart to see the results in a graphic view:


在堆积条形图中显示结果。The results are shown in a stacked bar chart. 单击“堆积柱形图”并选择“饼图”可以显示另一个结果视图:Click Stacked Column and select Pie to show another view of the results:


可以通过控件条手动更改视图的不同属性(例如 X 和 Y 轴)或者分组和拆分首选项。Different properties of the view, such as x and y axes, or grouping and splitting preferences, can be changed manually from the control bar.

还可以使用 render 运算符在查询本身中设置首选视图。You can also set the preferred view in the query itself, using the render operator.

智能诊断Smart diagnostics

时间图表中,如果数据出现突增或上了一个台阶,则可在图线中看到突出显示的点。On a timechart, if there is a sudden spike or step in your data, you may see a highlighted point on the line. 这表示智能诊断已识别到筛选出发生突然变化的属性组合。This indicates that Smart Diagnostics has identified a combination of properties that filter out the sudden change. 单击相应的点可获取有关筛选器的详细信息以及查看筛选器版本。Click the point to get more detail on the filter, and to see the filtered version. 这有助于识别导致发生变化的原因:This may help you identify what caused the change:


固定到仪表板Pin to dashboard

若要将图表或表固定到某个共享的 Azure 仪表板,请单击图钉图标。To pin a diagram or table to one of your shared Azure dashboards, click the pin icon.


在某些情况下,将图表固定到仪表板时,图表会应用特定的简化功能:Certain simplifications are applied to a chart when you pin it to a dashboard:

  • 表列和行:若要将某个表固定到仪表板,该表包含的列数不能超过四个。Table columns and rows: In order to pin a table to the dashboard, it must have four or fewer columns. 只显示前七行。Only the top seven rows are displayed.
  • 时间限制:查询自动限制为过去 14 天。Time restriction: Queries are automatically limited to the past 14 days.
  • Bin 计数限制:如果显示的图表包含许多离散的 Bin,所占比例较少的 Bin 将自动分组到单个“其他”Bin。Bin count restriction: If you display a chart that has a lot of discrete bins, less populated bins are automatically grouped into a single others bin.

保存查询Save queries

创建有用的查询后,可以将其保存,或者与他人共享。Once you've created a useful query, you might want to save it or share with others. “保存”图标位于顶部栏上。The Save icon is on the top bar.

可以保存整个查询页,或者将单个查询保存为一个函数。You can save either the entire query page, or a single query as a function. 函数是也可以由其他查询引用的查询。Functions are queries that can also be referenced by other queries. 若要将查询保存为函数,必须提供函数别名,这是当此查询由其他查询引用时,用来调用此查询的名称。In order to save a query as a function, you must provide a function alias, which is the name used to call this query when referenced by other queries.



保存查询或编辑已保存的查询时,在“名称” 字段中支持以下字符 - a-z, A-Z, 0-9, -, _, ., <space>, (, ), |The following characters are supported - a-z, A-Z, 0-9, -, _, ., <space>, (, ), | in the Name field when saving or editing the saved query.

Log Analytics 查询始终保存到选定的工作区中,并与该工作区的其他用户共享。Log Analytics queries are always saved to a selected workspace, and shared with other users of that workspace.

加载查询Load queries

“查询资源管理器”图标位于右上区域。The Query Explorer icon is at the top-right area. 其中按类别列出了所有已保存的查询。This lists all saved queries by category. 在其中还可将特定的查询加入收藏夹,以便将来快速找到它们。It also enables you to mark specific queries as Favorites to quickly find them in the future. 双击某个已保存的查询可将其添加到当前窗口中。Double-click a saved query to add it to the current window.


Log Analytics 支持多种导出方法:Log analytics supports several exporting methods:

  • Excel:将结果保存为 CSV 文件。Excel: Save the results as a CSV file.

后续步骤Next steps