Azure Monitor 中的 Log Analytics 概述Overview of Log Analytics in Azure Monitor

Log Analytics 是 Azure 门户中的一种工具,用于通过 Azure Monitor 日志中的数据编辑和运行日志查询。Log Analytics is a tool in the Azure portal used to edit and run log queries with data in Azure Monitor Logs. 可以编写简单查询,以返回记录集,然后使用 Log Analytics 的功能对它们进行排序、筛选和分析。You may write a simple query that returns a set of records and then use features of Log Analytics to sort, filter, and analyze them. 也可以编写更高级的查询来执行统计分析并在图表中显示结果,以确定特定趋势。Or you may write a more advanced query to perform statistical analysis and visualize the results in a chart to identify a particular trend. 无论是以交互方式处理查询的结果,还是将它们与其他 Azure Monitor 功能(如日志查询警报或工作簿)一起使用,Log Analytics 都是要用于编写和测试它们的工具。Whether you work with the results of your queries interactively or use them with other Azure Monitor features such as log query alerts or workbooks, Log Analytics is the tool that you're going to use write and test them.

提示

本文提供了 Log Analytics 及其每个功能的说明。This article provides a description of Log Analytics and each of its features. 如果要直接跳转到教程,请参阅 Log Analytics 教程If you want to jump right into a tutorial, see Log Analytics tutorial.

启动 Log AnalyticsStarting Log Analytics

在 Azure 门户中,从“Azure Monitor”菜单中的“日志”启动 Log Analytics 。Start Log Analytics from Logs in the Azure Monitor menu in the Azure portal. 对于大多数 Azure 资源,你也会在菜单中看到此选项。You'll also see this option in the menu for most Azure resources. 无论从何处启动,它都是相同的 Log Analytics 工具。Regardless of where you start it from, it will be the same Log Analytics tool. 不过,用于启动 Log Analytics 的菜单会确定可用的数据。The menu you use to start Log Analytics determines the data that will be available though. 如果从“Azure Monitor”菜单或“ Log Analytics 工作区”菜单中启动,则可以访问工作区中的所有记录 。If you start it from the Azure Monitor menu or the Log Analytics workspaces menu, you'll have access to all of the records in a workspace. 如果从其他类型的资源选择“日志”,则数据会限制为该资源的日志数据。If you select Logs from another type of resource, then your data will be limited to log data for that resource. 有关详细信息,请参阅 Azure Monitor Log Analytics 中的日志查询范围和时间范围See Log query scope and time range in Azure Monitor Log Analytics for details.

启动 Log AnalyticsStart Log Analytics

启动 Log Analytics 时,你会看到的第一个内容是包含示例查询的对话框。When you start Log Analytics, the first thing you'll see is a dialog box with example queries. 这些查询按解决方案进行分类,你可以浏览或搜索符合特定要求的查询。These are categorized by solution, and you can browse or search for queries that match your particular requirements. 能够查找精确执行所需操作的查询,或者将一个查询加载到编辑器中,并根据需要进行修改。You may be able to find a that does exactly what you need, or load one to the editor and modify it as required. 浏览示例查询实际上是一种了解如何编写自己的查询的极好方法。Browsing through example queries is actually a great way to learn how to write your own queries. 当然,如果要从空脚本开始并自己编写,则可以关闭示例查询。Of course if you want to start with an empty script and write it yourself, you can close the example queries. 如果要重新打开它们,只需单击屏幕顶部的“查询”。Just click the Queries at the top of the screen if you want to get them back.

Log Analytics 界面Log Analytics interface

下图标识了 Log Analytics 的不同组件。The following image identifies the different components of Log Analytics.

Log AnalyticsLog Analytics

1.顶部操作栏1. Top action bar

用于在查询窗口中处理查询的控件。Controls for working with the query in the query window.

选项Option 说明Description
作用域Scope 指定用于查询的数据范围。Specifies the scope of data used for the query. 这可以是 Log Analytics 工作区中的所有数据,或是跨多个工作区的特定资源的数据。This could be all data in a Log Analytics workspace or data for a particular resource across multiple workspaces. 请参阅查询范围See Query scope.
“运行”按钮Run button 单击可在查询窗口中运行所选查询。Click to run the selected query in the query window. 还可以按 Shift+Enter 来运行查询。You can also press shift+enter to run a query.
时间选取器Time picker 选择可用于查询的数据时间范围。Select the time range for the data available to the query. 如果在查询中包含时间筛选器,则会替代此项。This is overridden if you include a time filter in the query. 请参阅 Azure Monitor Log Analytics 中的日志查询范围和时间范围See Log query scope and time range in Azure Monitor Log Analytics.
“保存”按钮Save button 将查询保存到工作区的查询资源管理器。Save the query to the Query Explorer for the workspace.
“复制”按钮Copy button 将查询链接、查询文本或查询结果复制到剪贴板。Copy a link to the query, the query text, or the query results to the clipboard.
“新建警报规则”按钮New alert rule button 创建包含空查询的新选项卡。Create a new tab with an empty query.
“导出”按钮Export button 将查询结果导出到 CSV 文件或将查询导出为 Power Query 公式语言格式以便用于 Power Bi。Export the results of the query to a CSV file or the query to Power Query Formula Language format for use with Power Bi.
“固定到仪表板”按钮Pin to dashboard button 将查询结果添加到 Azure 仪表板。Add the results of the query to an Azure dashboard.
“设置查询格式”按钮Format query button 排列所选文本以便于阅读。Arrange the selected text for readability.
“示例查询”按钮Example queries button 打开在第一次打开 Log Analytics 时显示的示例查询对话框。Open the example queries dialog box that is displayed when you first open Log Analytics.
“查询资源管理器”按钮Query Explorer button 打开“查询资源管理器”以便访问工作区中已保存的查询。Open Query Explorer which provides access to saved queries in the workspace.

2.边栏2. Sidebar

工作区中的表、示例查询以及适用于当前查询的筛选选项的列表。Lists of tables in the workspace, sample queries, and filter options for the current query.

选项卡Tab 说明Description
Tables 列出属于所选范围的表。Lists the tables that are part of the selected scope. 选择“分组依据”可更改表的分组。Select Group by to change the grouping of the tables. 将鼠标悬停在表名称上方可显示一个对话框,其中包含表的说明以及用于查看其文档和预览其数据的选项。Hover over a table name to display a dialog box with a description of the table and options to view its documentation and to preview its data. 展开表可查看其列。Expand a table to view its columns. 双击表或列名可将其添加到查询中。Double-click on a table or column name to add it to the query.
查询Queries 可在查询窗口中打开的示例查询的列表。List of example queries that you can open in the query window. 这是打开 Log Analytics 时显示的同一个列表。This is the same list that's displayed when you open Log Analytics. 选择“分组依据”可更改查询的分组。Select Group by to change the grouping of the queries. 双击查询可将其添加到查询窗口,或将鼠标悬停在其上方可查看其他选项。Double-click on a query to add it to the query window or hover over it for other options.
筛选器Filter 基于查询结果创建筛选器选项。Creates filter options based on the results of a query. 运行查询之后,将显示在结果中具有不同值的列。After you a run a query, columns will be displayed with different values from the results. 选择一个或多个值,然后单击“应用并运行”可将 where 命令添加到查询中,然后再次运行 。Select one or more values and then click Apply & Run to add a where command to the query and run it again.

3.查询窗口3. Query window

查询窗口是编辑查询的位置。The query window is where you edit your query. 这包括用于 KQL 命令的 IntelliSense 和用于提高可读性的颜色编码。This includes intellisense for KQL commands and color coding to enhance readability. 单击窗口顶部的“+”可打开另一个选项卡。Click the + at the top of the window to open another tab.

单个窗口中可以包含多个查询。As single window can include multiple queries. 查询不能包含任何空白行,因此可以在一个窗口中使用一个或多个空白行分隔多个查询。A query cannot include any blank lines, so you can separate multiple queries in a window with one or more blank lines. 光标所在位置是当前的查询。The current query is the one with the cursor positioned anywhere in it.

若要运行当前查询,请单击“运行”按钮或按 Shift+Enter。To run the current query, click the Run button or press Shift+Enter.

4.结果窗口4. Results window

查询结果显示在结果窗口中。The results of the query are displayed in the results window. 默认情况下,结果显示为表。By default, the results are displayed as a table. 若要显示为图表,请在结果窗口中选择“图表”,或者向查询添加 render 命令 。To display as a chart, either select Chart in the results window, or add a render command to your query.

结果视图 (Results view)Results view

在按列和行组织的表中显示查询结果。Displays query results in a table organized by columns and rows. 单击行的左侧可展开其值。Click to the left of a row to expand its values. 单击“列”下拉列表可更改列的列表。Click on the Columns dropdown to change the list of columns. 可通过单击列名对结果进行排序。Sort the results by clicking on a column name. 可通过单击列名旁的漏斗来筛选结果。Filter the results by clicking the funnel next to a column name. 可通过再次运行查询来清除筛选器并重置排序。Clear the filters and reset the sorting by running the query again.

选择“组合列”可在查询结果上方显示分组栏。Select Group columns to display the grouping bar above the query results. 可通过将任何列拖动到该栏上来按该列对结果进行分组。Group the results by any column by dragging it to the bar. 可通过添加其他列在结果中创建嵌套组。Create nested groups in the results by adding additional columns.

图表视图Chart view

将结果显示为多个可用图表类型之一。Displays the results as one of multiple available chart types. 可以在查询的 render 命令中指定图表类型,也可以从“可视化效果类型”下拉列表中进行选择 。You can specify the chart type in a render command in your query or select it from the Visualization Type dropdown.

选项Option 说明Description
可视化效果类型Visualization Type 要显示的图表类型。Type of chart to display.
X 轴X-Axis 结果中要用于 X 轴的列Column in the results to use for the X-Axis
Y 轴Y-Axis 结果中要用于 Y 轴的列。Column in the results to use for the Y-Axis. 这通常是数值列。This will typically be a numeric column.
拆分依据Split by 结果中用于定义图表中的序列的列。Column in the results that defines the series in the chart. 为列中的每个值创建一个序列。A series is created for each value in the column.
聚合Aggregation 要对 Y 轴中的数值执行的聚合类型。Type of aggregation to perform on the numeric values in the Y-Axis.

与 Azure 数据资源管理器的关系Relationship to Azure Data Explorer

如果你已熟悉 Azure 数据资源管理器 Web UI,Log Analytics 应看上去很熟悉。If you're already familiar with the Azure Data Explorer Web UI, then Log Analytics should look familiar. 这是因为它构建在 Azure 数据资源管理器的基础之上,使用相同的 Kusto 查询语言 (KQL)。That's because it's built on top of Azure Data Explorer and uses the same Kusto Query Language (KQL). Log Analytics 添加了特定于 Azure Monitor 的功能,如按时间范围筛选以及通过查询创建警报规则的功能。Log Analytics adds features specific to Azure Monitor such as filtering by time range and the ability to create an alert rule from a query. 这两种工具都包含一个资源管理器,使你可以扫描可用表的结构,但 Azure 数据资源管理器 Web UI 主要处理 Azure 数据资源管理器数据库中的表,而 Log Analytics 处理 Log Analytics 工作区中的表。Both tools included an explorer that lets you scan through the structure of available tables, but the Azure Data Explorer Web UI primarily works with tables in Azure Data Explorer databases while Log Analytics works with tables in a Log Analytics workspace.

后续步骤Next steps