在 Azure Monitor 日志查询中使用 JSON 和数据结构Working with JSON and data Structures in Azure Monitor log queries

备注

在完成本课之前,应当先完成 Azure Monitor 日志分析入门Azure Monitor 日志查询入门You should complete Get started with Azure Monitor Log Analytics and Getting started with Azure Monitor log queries before completing this lesson.

备注

可以在自己的 Log Analytics 环境中完成此练习,也可以使用我们的演示环境,其中包含大量样本数据。You can work through this exercise in your own Log Analytics environment, or you can use our Demo environment, which includes plenty of sample data.

嵌套的对象是指在键值对的数组或映射中包含其他对象的对象。Nested objects are objects that contain other objects in an array or a map of key-value pairs. 这些对象表示为 JSON 字符串。These objects are represented as JSON strings. 本文介绍如何使用 JSON 来检索数据和分析嵌套的对象。This article describes how JSON is used to retrieve data and analyze nested objects.

结合使用 JSON 字符串Working with JSON strings

使用 extractjson 访问已知路径中的特定 JSON 元素。Use extractjson to access a specific JSON element in a known path. 此函数需要使用以下约定的路径表达式。This function requires a path expression that uses the following conventions.

  • $ 指的是根文件夹$ to refer to the root folder
  • 使用括号/圆点表示法来表示索引和元素,如下例所示。Use the bracket or dot notation to refer to indexes and elements as illustrated in the following examples.

对索引使用括号,并使用圆点来分隔元素:Use brackets for indexes and dots to separate elements:

let hosts_report='{"hosts": [{"location":"North_DC", "status":"running", "rate":5},{"location":"South_DC", "status":"stopped", "rate":3}]}';
print hosts_report
| extend status = extractjson("$.hosts[0].status", hosts_report)

如果只使用括号表示法,结果是一样的:This is the same result using only the brackets notation:

let hosts_report='{"hosts": [{"location":"North_DC", "status":"running", "rate":5},{"location":"South_DC", "status":"stopped", "rate":3}]}';
print hosts_report 
| extend status = extractjson("$['hosts'][0]['status']", hosts_report)

如果只有一个元素,则只能使用圆点表示法:If there is only one element, you can use only the dot notation:

let hosts_report=dynamic({"location":"North_DC", "status":"running", "rate":5});
print hosts_report 
| extend status = hosts_report.status

使用对象Working with objects

parsejsonparsejson

要访问 json 结构中的多个元素,将其作为动态对象进行访问更为简单。To access multiple elements in your json structure, it's easier to access it as a dynamic object. 使用 parsejson 将文本数据强制转换为动态对象。Use parsejson to cast text data to a dynamic object. 转换为动态类型后,即可使用其他功能来分析数据。Once converted to a dynamic type, additional functions can be used to analyze the data.

let hosts_object = parsejson('{"hosts": [{"location":"North_DC", "status":"running", "rate":5},{"location":"South_DC", "status":"stopped", "rate":3}]}');
print hosts_object 
| extend status0=hosts_object.hosts[0].status, rate1=hosts_object.hosts[1].rate

arraylengtharraylength

使用 arraylength 计算数组中元素的数量:Use arraylength to count the number of elements in an array:

let hosts_object = parsejson('{"hosts": [{"location":"North_DC", "status":"running", "rate":5},{"location":"South_DC", "status":"stopped", "rate":3}]}');
print hosts_object 
| extend hosts_num=arraylength(hosts_object.hosts)

mvexpandmvexpand

使用 mvexpand 将对象的属性拆分到单独的行中。Use mvexpand to break the properties of an object into separate rows.

let hosts_object = parsejson('{"hosts": [{"location":"North_DC", "status":"running", "rate":5},{"location":"South_DC", "status":"stopped", "rate":3}]}');
print hosts_object 
| mvexpand hosts_object.hosts[0]

mvexpand

buildschemabuildschema

使用 buildschema 获取允许对象的所有值的架构:Use buildschema to get the schema that admits all values of an object:

let hosts_object = parsejson('{"hosts": [{"location":"North_DC", "status":"running", "rate":5},{"location":"South_DC", "status":"stopped", "rate":3}]}');
print hosts_object 
| summarize buildschema(hosts_object)

输出是 JSON 格式的架构:The output is a schema in JSON format:

{
    "hosts":
    {
        "indexer":
        {
            "location": "string",
            "rate": "int",
            "status": "string"
        }
    }
}

此输出中显示了对象字段的名称及其匹配的数据类型。This output describes the names of the object fields and their matching data types.

嵌套的对象可能具有不同架构,如下例所示:Nested objects may have different schemas such as in the following example:

let hosts_object = parsejson('{"hosts": [{"location":"North_DC", "status":"running", "rate":5},{"status":"stopped", "rate":"3", "range":100}]}');
print hosts_object 
| summarize buildschema(hosts_object)

生成架构

后续步骤Next steps

参阅有关在 Azure Monitor 中使用日志查询的其他课:See other lessons for using log queries in Azure Monitor: