Azure Monitor 中的日志查询Log queries in Azure Monitor

Azure Monitor 日志基于 Azure 数据资源管理器,日志查询是使用相同的 Kusto 查询语言 (KQL) 编写的。Azure Monitor Logs is based on Azure Data Explorer, and log queries are written using the same Kusto query language (KQL). 这是一种旨在方便阅读和创作的丰富语言,你只需接受一些基本指导,便可开始编写查询。This is a rich language designed to be easy to read and author, so you should be able to start writing queries with some basic guidance.

Azure Monitor 中使用查询的区域包括以下几个:Areas in Azure Monitor where you will use queries include the following:

  • Log AnalyticsLog Analytics. Azure 门户中的主要工具,用于编辑日志查询以及以交互方式分析其结果。Primary tool in the Azure portal for editing log queries and interactively analyzing their results. 即便你打算在 Azure Monitor 的其他位置使用日志查询,通常也是先在 Log Analytics 中编写和测试查询,然后再将其复制到最终位置。Even if you intend to use a log query elsewhere in Azure Monitor, you'll typically write and test it in Log Analytics before copying it to its final location.
  • 日志警报规则Log alert rules. 主动识别工作区中数据的问题。Proactively identify issues from data in your workspace. 每个警报规则均基于定期自动运行的日志查询。Each alert rule is based on a log query that is automatically run at regular intervals. 对结果进行检查,确定是否应创建警报。The results are inspected to determine if an alert should be created.
  • 工作簿Workbooks. 在 Azure 门户中通过交互式视觉对象报表中的各种可视化效果提供日志查询结果。Include the results of log queries using different visualizations in interactive visual reports in the Azure portal.
  • Azure 仪表板Azure Dashboards. 将任何查询的结果固定到 Azure 仪表板,这样就可以将日志和指标数据一起可视化,并且还可以将其与其他 Azure 用户共享。Pin the results of any query into an Azure dashboard which allow you to visualize log and metric data together and optionally share with other Azure users.
  • 逻辑应用Logic Apps. 通过逻辑应用在自动化工作流中使用日志查询结果。Use the results of a log query in an automated workflow using Logic Apps.
  • PowerShellPowerShell. 在使用 Get-AzOperationalInsightsSearchResults 的 PowerShell 脚本(通过命令行运行)或 Azure 自动化 runbook 中使用日志查询结果。Use the results of a log query in a PowerShell script from a command line or an Azure Automation runbook that uses Get-AzOperationalInsightsSearchResults.
  • Azure Monitor 日志 APIAzure Monitor Logs API. 从任何 REST API 客户端检索工作区中的日志数据。Retrieve log data from the workspace from any REST API client. API 请求包括针对 Azure Monitor 运行的查询,用于确定要检索的数据。The API request includes a query that is run against Azure Monitor to determine the data to retrieve.

入门Getting started

若要开始学习使用 KQL 编写日志查询,最佳方法是利用可用的教程和示例。The best way to get started learning to write log queries using KQL is leveraging available tutorials and samples.

  • Log Analytics 教程 - 介绍如何使用 Log Analytics 功能的教程。Log Analytics 是 Azure 门户中用来编辑和运行查询的工具。Log Analytics tutorial - Tutorial on using the features of Log Analytics which is the tool that you'll use in the Azure portal to edit and run queries. 它还允许你在不直接使用查询语言的情况下编写简单查询。It also allows you to write simple queries without directly working with the query language. 如果你以前没有使用过 Log Analytics,可从本教程着手,了解将在其他教程和示例中使用的工具。If you haven't used Log Analytics before, start here so you understand the tool that you'll use with the other tutorials and samples.
  • KQL 教程 - 引导性地介绍了基本的 KQL 概念和常用运算符。KQL tutorial - Guided walk through basic KQL concepts and common operators. 这是着手了解语言本身和日志查询结构的最佳教程。This is the best place to start to come up to speed with the language itself and the structure of log queries.
  • 示例查询 - 描述 Log Analytics 中可用的示例查询。Example queries - Description of the example queries available in Log Analytics. 你可以不加修改地使用这些查询,也可以将它们作为学习 KQL 的示例。You can use the queries without modification or use them as samples to learn KQL.
  • 查询示例 - 演示各种不同概念的示例查询。Query samples - Sample queries illustrating a variety of different concepts.

参考文档Reference documentation

KQL 文档包含所有命令和运算符的参考信息,可在 Azure 数据资源管理器文档中获得。Documentation for KQL including the reference for all commands and operators is available in the Azure Data Explorer documentation. 即使精通 KQL,你仍然会定期使用这些参考信息来研究以前没有用过的新命令和新方案。Even as you get proficient using KQL, you'll still regularly use the reference to investigate new commands and scenarios that you haven't used before.

语言差异Language differences

虽然 Azure Monitor 与 Azure 数据资源管理器使用相同的 KQL,但还是有一些区别。While Azure Monitor uses the same KQL as Azure Data Explorer, there are some differences. KQL 文档将指定那些不受 Azure Monitor 支持或具有不同功能的运算符。The KQL documentation will specify those operators that aren't supported by Azure Monitor or that have different functionality. Azure Monitor 内容中介绍了特定于 Azure Monitor 的运算符。Operators specific to Azure Monitor are documented in the Azure Monitor content. 以下部分列出了该语言不同版本之间的差异,以供快速参考。The following sections provide a list the differences between versions of the language for quick reference.

Azure Monitor 中不支持的语句Statements not supported in Azure Monitor

Azure Monitor 中不支持的函数Functions not supported in Azure Monitor

Azure Monitor 中不支持的运算符Operators not supported in Azure Monitor

Azure Monitor 中不支持的插件Plugins not supported in Azure Monitor

Azure Monitor 中的附加运算符Additional operators in Azure Monitor

下列运算符支持特定的 Azure Monitor 功能并且在 Azure Monitor 外部不可用。The following operators support specific Azure Monitor features and are not available outside of Azure Monitor.

后续步骤Next steps