教程:Log Analytics 查询入门Tutorial: Get started with Log Analytics queries

本教程介绍如何在 Azure 门户中使用 Log Analytics 编写、执行和管理 Azure Monitor 日志查询。This tutorial shows you how to use Log Analytics to write, execute, and manage Azure Monitor log queries in the Azure portal. 可以使用 Log Analytics 查询来搜索字词、识别趋势、分析模式,以及基于数据提供其他许多见解。You can use Log Analytics queries to search for terms, identify trends, analyze patterns, and provide many other insights from your data.

本教程将介绍如何使用 Log Analytics 实现以下目的:In this tutorial, you learn how to use Log Analytics to:

  • 了解日志数据的架构Understand the log data schema
  • 编写和运行简单的查询,以及修改查询时间范围Write and run simple queries, and modify the time range for queries
  • 对查询结果进行筛选、排序和分组Filter, sort, and group query results
  • 查看、修改和共享查询结果的视觉对象View, modify, and share visuals of query results
  • 保存、加载、导出和复制查询与结果Save, load, export, and copy queries and results

有关日志查询的详细信息,请参阅 Azure Monitor 中的日志查询概述For more information about log queries, see Overview of log queries in Azure Monitor.
有关编写日志查询的详细教程,请参阅 Azure Monitor 中的日志查询入门For a detailed tutorial on writing log queries, see Get started with log queries in Azure Monitor.

打开 Log AnalyticsOpen Log Analytics

若要使用 Log Analytics,需要登录到 Azure 帐户。To use Log Analytics, you need to be signed in to an Azure account. 如果没有 Azure 帐户,请创建一个试用帐户If you don't have an Azure account, create one for trial.

若要完成本教程中的大部分步骤,可以使用此演示环境,其中包含了大量示例数据。To complete most of the steps in this tutorial, you can use this demo environment, which includes plenty of sample data. 使用演示环境无法保存查询,或将结果固定到仪表板。With the demo environment, you won't be able to save queries or pin results to a dashboard.

如果使用 Azure Monitor 来收集至少一个 Azure 资源中的日志数据,则你也可以使用自己的环境。You can also use your own environment, if you're using Azure Monitor to collect log data on at least one Azure resource. 若要打开 Log Analytics 工作区,请在 Azure Monitor 的左侧导航栏中选择“日志”。To open a Log Analytics workspace, in your Azure Monitor left navigation, select Logs.

了解架构Understand the schema

架构是分组到逻辑类别下的表集合。A schema is a collection of tables grouped under logical categories. “演示”架构包含监视解决方案中的多个类别。The Demo schema has several categories from monitoring solutions. 例如, LogManagement 类别包含 Windows 和 Syslog 事件、性能数据与代理检测信号。For example, the LogManagement category contains Windows and Syslog events, performance data, and agent heartbeats.

架构表显示在 Log Analytics 工作区的“表”选项卡上。The schema tables appear on the Tables tab of the Log Analytics workspace. 该表包含列,每个列的数据类型按照列名旁边的图标显示。The tables contain columns, each with a data type shown by the icon next to the column name. 例如, Event 表包含 Computer 之类的文本列,以及 EventCategory 之类的数字列。For example, the Event table contains text columns like Computer and numerical columns like EventCategory.

显示 Azure 门户“日志”页面的屏幕截图,其中包含一个新查询,突出显示了“表”窗格以及其中的 Computer 和 EventCategory。

编写和运行基本查询Write and run basic queries

Log Analytics 在打开时会在 查询编辑器 中显示一个新的空白查询。Log Analytics opens with a new blank query in the Query editor.

Log Analytics

编写查询Write a query

Azure Monitor 日志查询使用某种版本的 Kusto 查询语言。Azure Monitor log queries use a version of the Kusto query language. 查询可以从表名或 search 命令开始。Queries can begin with either a table name or a search command.

以下查询检索 Event 表中的所有记录:The following query retrieves all records from the Event table:

Event

竖线 (|) 字符分隔命令,第一个命令的输出是下一个命令的输入。The pipe (|) character separates commands, so the output of the first command is the input of the next command. 可在单个查询中添加任意数目的命令。You can add any number of commands to a single query. 以下查询检索 Event 表中的记录,然后在这些记录中搜索任何属性中的 error 一词:The following query retrieves the records from the Event table, and then searches them for the term error in any property:

Event 
| search "error"

使用单个换行符可使查询更易于阅读。A single line break makes queries easier to read. 使用多个换行符可将查询拆分为多个独立的查询。More than one line break splits the query into separate queries.

编写同一查询的另一种方法是:Another way to write the same query is:

search in (Event) "error"

在第二个示例中, search 命令仅在 Events 表的记录中搜索 error 一词。In the second example, the search command searches only records in the Events table for the term error.

默认情况下,Log Analytics 会将查询时间范围限制为过去 24 小时。By default, Log Analytics limits queries to a time range of the past 24 hours. 若要设置不同的时间范围,可将显式的 TimeGenerated 筛选器添加到查询,或使用“时间范围”控件。To set a different time range, you can add an explicit TimeGenerated filter to the query, or use the Time range control.

使用“时间范围”控件Use the Time range control

若要使用“时间范围”控件,请在顶部栏中选择该控件,然后从下拉列表中选择一个值,或选择“自定义”以创建自定义时间范围。To use the Time range control, select it in the top bar, and then select a value from the dropdown list, or select Custom to create a custom time range.

时间选取器

  • 时间范围值采用 UTC 格式,这可能与你的本地时区不同。Time range values are in UTC, which could be different than your local time zone.
  • 如果查询针对 TimeGenerated 显式设置了筛选器,则时间选取器控件将显示“在查询中设置”,并会禁用以防止冲突。If the query explicitly sets a filter for TimeGenerated , the time picker control shows Set in query , and is disabled to prevent a conflict.

运行查询Run a query

若要运行查询,请将光标放在查询中的某个位置,然后在顶部栏中选择“运行”,或按 Shift+EnterTo run a query, place your cursor somewhere inside the query, and select Run in the top bar or press Shift+Enter. 该查询将运行到它找到了空白行为止。The query runs until it finds a blank line.

筛选结果Filter results

Log Analytics 将结果数限制为最多 10,000 条记录。Log Analytics limits results to a maximum of 10,000 records. 类似于 Event 的常规查询会返回过多的结果,其中一些结果没有作用。A general query like Event returns too many results to be useful. 可以通过限制查询中的表元素,或者显式针对结果添加筛选器,来筛选查询结果。You can filter query results either through restricting the table elements in the query, or by explicitly adding a filter to the results. 通过表元素进行筛选会返回新的结果集,而显式筛选器将应用于现有的结果集。Filtering through the table elements returns a new result set, while an explicit filter applies to the existing result set.

通过限制表元素进行筛选Filter by restricting table elements

若要通过限制查询中的表元素将 Event 查询结果筛选为“Error”事件:To filter Event query results to Error events by restricting table elements in the query:

  1. 在查询结果中,选择“EventLevelName”列中包含“Error”的任何记录旁边的下拉箭头。In the query results, select the dropdown arrow next to any record that has Error in the EventLevelName column.

  2. 在展开的详细信息中,悬停鼠标并选择“EventLevelName”旁边的“...”,然后选择“包含‘Error’”。In the expanded details, hover over and select the ... next to EventLevelName , and then select Include "Error".

    向查询添加筛选器

  3. 请注意, 查询编辑器 中的查询现已更改为:Notice that the query in the Query editor has now changed to:

    Event
    | where EventLevelName == "Error"
    
  4. 选择“运行”以运行新查询。Select Run to run the new query.

通过显式筛选结果进行筛选Filter by explicitly filtering results

若要通过筛选查询结果将 Event 查询结果筛选为“Error”事件:To filter the Event query results to Error events by filtering the query results:

  1. 在查询结果中,选择列标题“EventLevelName”旁边的“筛选器”图标。In the query results, select the Filter icon next to the column heading EventLevelName.

  2. 在弹出窗口的第一个字段中选择“等于”,然后在下一个字段中输入 errorIn the first field of the pop-up window, select Is equal to , and in the next field, enter error.

  3. 选择“筛选”。Select Filter.

    显示结果表的屏幕截图,其中包含按 EventLevelName 筛选结果的上下文菜单。

排序、分组和选择列Sort, group, and select columns

若要按特定的列(例如“TimeGenerated [UTC]”)对查询结果进行排序,请选择列标题。To sort query results by a specific column, such as TimeGenerated [UTC] , select the column heading. 再次选择该标题可切换为按升序或降序排序。Select the heading again to toggle between ascending and descending order.

将列排序

还可以按组来组织结果。Another way to organize results is by groups. 若要按特定的列对结果进行分组,请将列标题拖放到结果表上方的、带有“将列标题拖放到此处,以按该列分组”标签的栏中。To group results by a specific column, drag the column header to the bar above the results table labeled Drag a column header and drop it here to group by that column. 若要创建子组,请将其他列拖放到上部栏中。To create subgroups, drag other columns to the upper bar. 可以在该栏中重新排列组和子组的层次结构与排序方式。You can rearrange the hierarchy and sorting of the groups and subgroups in the bar.

显示 EventLevelName 和 Computer 的子组的查询结果的屏幕截图。

若要在结果中隐藏或显示列,请选择表上方的“列”,然后从下拉列表中选择或取消选择所需的列。To hide or show columns in the results, select Columns above the table, and then select or deselect the columns you want from the dropdown list.

选择列

查看和修改图表View and modify charts

还能够以可视格式查看查询结果。You can also see query results in visual formats. 输入以下查询作为示例:Enter the following query as an example:

Event 
| where EventLevelName == "Error" 
| where TimeGenerated > ago(1d) 
| summarize count() by Source 

默认情况下,结果将显示在表中。By default, results appear in a table. 选择表上方的“图表”可在图形视图中查看结果。Select Chart above the table to see the results in a graphic view.

条形图

结果将显示在堆积条形图中。The results appear in a stacked bar chart. 选择其他选项(例如“堆积柱形图”或“饼图”)可显示结果的其他视图。Select other options like Stacked Column or Pie to show other views of the results.

饼图

可以通过控件条手动更改视图的不同属性(例如 X 和 Y 轴)或者分组和拆分首选项。You can change properties of the view, such as x and y axes, or grouping and splitting preferences, manually from the control bar.

还可以使用 render 运算符在查询本身中设置首选视图。You can also set the preferred view in the query itself, using the render operator.

将结果固定到仪表板Pin results to a dashboard

若要将结果表或图表从 Log Analytics 固定到共享的 Azure 仪表板,请在顶部栏上选择“固定到仪表板”。To pin a results table or chart from Log Analytics to a shared Azure dashboard, select Pin to dashboard on the top bar.

固定到仪表板

在“固定到另一个仪表板”窗格中,选择或创建要固定到的共享仪表板,然后选择“应用”。In the Pin to another dashboard pane, select or create a shared dashboard to pin to, and select Apply. 表或图表将显示在所选的 Azure 仪表板上。The table or chart appears on the selected Azure dashboard.

已固定到仪表板的图表

固定到共享仪表板的表或图表在以下方面已得到简化:A table or chart that you pin to a shared dashboard has the following simplifications:

  • 数据限制为过去 14 天的数据。Data is limited to the past 14 days.
  • 表最多只显示 4 列和前 7 行。A table shows only up to four columns and the top seven rows.
  • 包含许多离散类别的图表会自动将填充内容不多的类别分组到单个“其他”箱中。Charts with many discrete categories automatically group less populated categories into a single others bin.

保存、加载或导出查询Save, load, or export queries

创建查询后,可以保存查询或结果,或者将其与他人共享。Once you create a query, you can save or share the query or results with others.

保存查询Save queries

若要保存查询:To save a query:

  1. 在顶部栏上选择“保存”。Select Save on the top bar.

  2. 在“保存”对话框中,使用字符 a-z、A-Z、0-9、空格、连字符、下划线、句点、括号或竖线为查询指定“名称”。In the Save dialog, give the query a Name , using the characters a-z, A-Z, 0-9, space, hyphen, underscore, period, parenthesis, or pipe.

  3. 选择是要将查询保存为“查询”还是“函数”。 Select whether to save the query as a Query or a Function. 函数是其他查询可以引用的查询。Functions are queries that other queries can reference.

    若要将查询保存为函数,请提供 函数别名 - 供其他查询用来调用此查询的短名称。To save a query as a function, provide a Function Alias , which is a short name for other queries to use to call this query.

  4. 如果位于 Log Analytics 工作区中,请提供“查询资源管理器”的类别以用于查询。If you are in a Log Analytics workspace, provide a Category for Query explorer to use for the query. (类别不可用于 Application Insights 查询)(Categories aren't available for Applications Insights queries)

  5. 选择“保存” 。Select Save.

    保存函数

加载查询Load queries

若要加载已保存的查询,请选择右上角的“查询资源管理器”。To load a saved query, select Query explorer at upper right. 此时会打开“查询资源管理器”窗格,其中按类别列出了所有查询。The Query explorer pane opens, listing all queries by category. 展开类别或者在搜索栏中输入查询名称,然后选择某个查询以将其载入“查询编辑器”。Expand the categories or enter a query name in the search bar, then select a query to load it into the Query editor. 可以通过选择查询名称旁边的星形图标,将该查询标记为 收藏项目You can mark a query as a Favorite by selecting the star next to the query name.

查询资源管理器

导出和共享查询Export and share queries

若要导出查询,请在顶部栏上选择“导出”,然后从下拉列表中选择“导出到 CSV - 所有列”、“导出到 CSV - 显示的列”或“导出到 Power BI (M 查询)”。 To export a query, select Export on the top bar, and then select Export to CSV - all columns , Export to CSV - displayed columns , or Export to Power BI (M query) from the dropdown list.

若要共享查询的链接,请在顶部栏上选择“复制链接”,然后选择“复制查询链接”、“复制查询文本”或“复制查询结果”以复制到剪贴板。 To share a link to a query, select Copy link on the top bar, and then select Copy link to query , Copy query text , or Copy query results to copy to the clipboard. 可将查询链接发送给有权访问同一工作区的其他人。You can send the query link to others who have access to the same workspace.

后续步骤Next steps

请继续学习下一篇教程,详细了解如何编写 Azure Monitor 日志查询。Advance to the next tutorial to learn more about writing Azure Monitor log queries.