从 Log Analytics 日志搜索过渡到 Azure Monitor 日志Transition from Log Analytics log search to Azure Monitor logs

Log Analytics 中的日志搜索功能最近已由一个可以分析 Azure Monitor 日志的新体验取代。The log search in Log Analytics was recently replaced with a new experience for analyzing Azure Monitor logs. 目前,仍可以在 Azure 门户中通过“Log Analytics 工作区”页上的“日志(经典)”菜单项访问日志搜索页,但该搜索页将在 2019 年 2 月 15 日删除。 The Log search page is currently still accessible through the Logs (classic) menu item in the Log Analytics workspaces page in the Azure portal but will be removed February 15th, 2019. 本文介绍两种体验之间的差异,以帮助你从日志搜索过渡到新体验。This article describes differences between the two experiences to help you transition from log search.

筛选查询结果Filter results of a query

在日志搜索中,提供搜索结果时会显示筛选器列表。In Log Search, a list of filters are displayed as search results are delivered. 选择一个筛选器并单击“应用”可以使用选定的筛选器运行查询。 Select a filter and click Apply to run the query with the selected filter.

日志搜索中的筛选器

在 Azure Monitor 日志中,选择“筛选器(预览)”可以显示筛选器。 In Azure Monitor logs, select Filter (preview) to display filters. 单击筛选器图标可显示更多筛选器。Click on the filter icon to display addition filters. 选择一个筛选器并单击“应用并运行”可以使用选定的筛选器运行查询。 Select a filter and click Apply & Run to run the query with the selected filter.

日志中的筛选器

提取自定义字段Extract custom fields

在日志搜索中,可以从“列表”视图提取自定义字段,该视图中的字段菜单包括“从表中提取字段”操作。 In Log Search, you extract custom fields from the List view, where a field’s menu includes the action Extract fields from Table.

在日志搜索中提取字段

在 Azure Monitor 日志中,可以从表视图提取自定义字段。In Azure Monitor logs, you extract custom fields from the table view. 若要展开记录,可以单击该记录左侧的箭头,然后单击省略号访问“提取字段”操作。 Expand a record by clicking the arrow to its left then click the ellipsis to access the Extract fields action.

在日志中提取字段

函数和计算机组Functions and computer groups

若要在日志搜索中保存搜索,请选择“保存的搜索”,然后单击“添加”以提供名称、类别和查询文本。 To save a search in Log Search, select Saved searches and Add to provide a name, category, and query text. 通过添加函数别名创建计算机组Create a computer group by adding a function alias.

保存日志搜索

若要在 Azure Monitor 日志中保存当前查询,请选择“保存”。 To save the current query in Azure Monitor logs, select Save. 将“另存为”更改为“函数”,并提供一个函数别名以创建函数Change Save as to Function and provide a Function Alias to create a function. 若要使用计算机组的函数别名,请选择“将此查询另存为计算机组”。Select Save this query as a computer group to use the function alias for a computer group.

保存日志查询

已保存的查询Saved queries

在日志搜索中,可以通过操作栏中的“保存的搜索”项使用已保存的查询 。In Log Search, your saved queries are available through the action bar item Saved searches. 在 Azure Monitor 日志中,可以从“查询资源管理器”访问已保存的查询。In Azure Monitor logs, access saved queries from Query Explorer.

查询资源管理器

向下钻取汇总行Drill down on summarized rows

在日志搜索中,可单击汇总查询中的行,启动列出该行中的详细记录的另一个查询。In Log Search, you can click on a row in a summarized query to launch another query that lists detailed records in that row.

日志搜索向下钻取

在 Azure Monitor 日志中,必须修改查询才能返回这些记录。In Azure Monitor logs, you must modify the query to return these records. 展开结果中的其中一行,然后单击值旁边的 + 将其添加到查询。Expand one of the rows in the results and click the + next to the value to add it to the query. 然后注释掉 summarize 命令并再次运行查询。Then comment out the summarize command and run the query again.

Azure Monitor 日志向下钻取

执行操作Take action

在日志搜索中,可以通过选择“执行操作”,从搜索结果启动 RunbookIn Log Search, you can start a runbook from a search result by selecting Take action.

执行操作

在 Azure Monitor 日志中,可以从日志查询创建警报In Azure Monitor logs, create an alert from the log query. 配置包含一个或多个操作的操作组,响应警报时,将运行这些操作。Configure an action group with one or more actions that will run in response to the alert.

操作组

后续步骤Next steps