Azure Monitor Log Analytics 中的日志查询范围和时间范围Log query scope and time range in Azure Monitor Log Analytics

Azure 门户上的 Log Analytics 中运行日志查询时,该查询评估的数据集取决于所选的范围和时间范围。When you run a log query in Log Analytics in the Azure portal, the set of data evaluated by the query depends on the scope and the time range that you select. 本文介绍范围和时间范围,以及如何根据要求设置这两项。This article describes the scope and time range and how you can set each depending on your requirements. 本文还介绍了不同范围类型的行为。It also describes the behavior of different types of scopes.

查询范围Query scope

查询范围定义查询评估的记录。The query scope defines the records that are evaluated by the query. 通常,这包括单个 Log Analytics 工作区或 Application Insights 应用程序中的所有记录。This will usually include all records in a single Log Analytics workspace or Application Insights application. Log Analytics 还允许针对特定的受监视 Azure 资源设置范围。Log Analytics also allows you to set a scope for a particular monitored Azure resource. 这样,资源所有者就可以专注于其数据,即使该资源向多个工作区写入数据。This allows a resource owner to focus only on their data, even if that resource writes to multiple workspaces.

范围始终显示在 Log Analytics 窗口的左上方。The scope is always displayed at the top left of the Log Analytics window. 如果出现了图标,则表示范围是 Log Analytics 工作区或 Application Insights 应用程序。An icon indicates whether the scope is a Log Analytics workspace or an Application Insights application. 如果没有图标,则表示范围是另一个 Azure 资源。No icon indicates another Azure resource.

门户中显示的范围

范围由启动 Log Analytics 所用的方法确定,在某些情况下,可以通过单击范围来更改范围。The scope is determined by the method you use to start Log Analytics, and in some cases you can change the scope by clicking on it. 下表列出了所用的不同类型范围及其各种详细信息。The following table lists the different types of scope used and different details for each.

查询范围Query scope 范围中的记录Records in scope 如何选择How to select 更改范围Changing Scope
Log Analytics 工作区Log Analytics workspace Log Analytics 工作区中的所有记录。All records in the Log Analytics workspace. 从“Azure Monitor”菜单或“Log Analytics 工作区”菜单中选择“日志”。 Select Logs from the Azure Monitor menu or the Log Analytics workspaces menu. 可将范围更改为任何其他资源类型。Can change scope to any other resource type.
Application Insights 应用程序Application Insights application Application Insights 应用程序中的所有记录。All records in the Application Insights application. 从应用程序的“Application Insights”菜单中选择“日志”。Select Logs from the Application Insights menu for the application. 只能将范围更改为另一个 Application Insights 应用程序。Can only change scope to another Application Insights application.
资源组Resource group 资源组中的所有资源创建的记录。Records created by all resources in the resource group. 可以包含多个 Log Analytics 工作区中的数据。May include data from multiple Log Analytics workspaces. 从资源组菜单中选择“日志”。Select Logs from the resource group menu. 无法更改范围。Cannot change scope.
订阅Subscription 订阅中的所有资源创建的记录。Records created by all resources in the subscription. 可以包含多个 Log Analytics 工作区中的数据。May include data from multiple Log Analytics workspaces. 从订阅菜单中选择“日志”。Select Logs from the subscription menu. 无法更改范围。Cannot change scope.
其他 Azure 资源Other Azure resources 资源创建的记录。Records created by the resource. 可以包含多个 Log Analytics 工作区中的数据。May include data from multiple Log Analytics workspaces. 从资源菜单中选择“日志”。Select Logs from the resource menu.
OROR
从“Azure Monitor”菜单中选择“日志”,然后选择新范围。 Select Logs from the Azure Monitor menu and then select a new scope.
只能将范围更改为相同的资源类型。Can only change scope to same resource type.

将范围限定为资源时的限制Limitations when scoped to a resource

如果查询范围是 Log Analytics 工作区或 Application Insights 应用程序,门户中的所有选项以及所有查询命令均可用。When the query scope is a Log Analytics workspace or an Application Insights application, all options in the portal and all query commands are available. 不过,如果将范围限定为资源,则门户中的以下选项不可用,因为它们与单个工作区或应用程序相关联:When scoped to a resource though, the following options in the portal not available because they're associated with a single workspace or application:

  • 保存Save
  • 查询资源管理器Query explorer
  • 新建警报规则New alert rule

将范围限定为资源时无法使用以下命令,因为查询范围已经包含了带有该资源或资源集的数据的所有工作区:You can't use the following commands in a query when scoped to a resource since the query scope will already include any workspaces with data for that resource or set of resources:

查询限制Query limits

对于 Azure 资源将数据写入多个 Log Analytics 工作区,你可能有业务要求。You may have business requirements for an Azure resource to write data to multiple Log Analytics workspaces. 工作区不需与资源位于同一区域,单个工作区可能从多个区域的资源收集数据。The workspace doesn't need to be in the same region as the resource, and a single workspace might gather data from resources in a variety of regions.

将范围设置为一个资源或一组资源是 Log Analytics 的特别强大的功能,因为它允许你在单个查询中自动合并分布式数据。Setting the scope to a resource or set of resources is a particularly powerful feature of Log Analytics since it allows you to automatically consolidate distributed data in a single query. 不过,如果需要从多个 Azure 区域的工作区检索数据,它可能会显著影响性能。It can significantly affect performance though if data needs to be retrieved from workspaces across multiple Azure regions.

Log Analytics 有助于防止跨多个区域中工作区的查询的过量开销,其方法是在特定数目的区域被使用时发出警告或错误。Log Analytics helps protect against excessive overhead from queries that span workspaces in multiple regions by issuing a warning or error when a certain number of regions are being used. 如果范围包含的工作区位于 5 个或更多个区域中,则查询会收到警告。Your query will receive a warning if the scope includes workspaces in 5 or more regions. 查询仍会运行,但可能需要很长的时间才能完成。it will still run, but it may take excessive time to complete.

查询警告

如果范围包含的工作区位于 20 个或更多个区域中,则系统会阻止查询运行。Your query will be blocked from running if the scope includes workspaces in 20 or more regions. 在这种情况下,系统会要求你减少工作区区域的数目,然后尝试再次运行查询。In this case you will be prompted to reduce the number of workspace regions and attempt to run the query again. 下拉菜单会显示查询范围内的所有区域,你应该减少区域的数目,然后尝试再次运行查询。The dropdown will display all of the regions in the scope of the query, and you should reduce the number of regions before attempting to run the query again.

查询失败

时间范围Time range

时间范围根据记录的创建时间,指定查询要评估的记录集。The time range specifies the set of records that are evaluated for the query based on when the record was created. 此项设置由工作区或应用程序中每条记录上的标准列定义,如下表所示。This is defined by a standard column on every record in the workspace or application as specified in the following table.

位置Location Column
Log Analytics 工作区Log Analytics workspace TimeGeneratedTimeGenerated
Application Insights 应用程序Application Insights application timestamptimestamp

若要设置时间范围,可在 Log Analytics 窗口顶部的时间选取器中进行选择。Set the time range by selecting it from the time picker at the top of the Log Analytics window. 可以选择预定义的时间段,或选择“自定义”来指定特定的时间范围。You can select a predefined period or select Custom to specify a specific time range.

时间选取器

如果在使用上表所示的“标准时间”列的查询中设置筛选器,时间选取器将更改为“在查询中设置”并且会被禁用。If you set a filter in the query that uses the standard time column as shown in the table above, the time picker changes to Set in query, and the time picker is disabled. 在这种情况下,最有效的做法是将筛选器放在查询的顶部,这样,以后只需处理筛选的记录。In this case, it's most efficient to put the filter at the top of the query so that any subsequent processing only needs to work with the filtered records.

筛选的查询

如果使用 workspaceapp 命令从另一个工作区或应用程序检索数据,时间选取器的行为可能有所不同。If you use the workspace or app command to retrieve data from another workspace or application, the time picker may behave differently. 如果范围是 Log Analytics 工作区,而你使用的是 app,或者,如果范围是 Application Insights 应用程序,而你使用的是 workspace,则 Log Analytics 可能不知道应该由筛选器中使用的列来确定时间筛选器。If the scope is a Log Analytics workspace and you use app, or if the scope is an Application Insights application and you use workspace, then Log Analytics may not understand that the column used in the filter should determine the time filter.

在以下示例中,范围设置为 Log Analytics 工作区。In the following example, the scope is set to a Log Analytics workspace. 查询使用 workspace 从另一个 Log Analytics 工作区检索数据。The query uses workspace to retrieve data from another Log Analytics workspace. 时间选取器将更改为“在查询中设置”,因为它会看到一个使用预期的 TimeGenerated 列的筛选器。The time picker changes to Set in query because it sees a filter that uses the expected TimeGenerated column.

使用 workspace 的查询

不过,如果查询使用 app 从 Application Insights 应用程序检索数据,Log Analytics 将无法识别筛选器中的 timestamp 列,而时间选取器将保持不变。If the query uses app to retrieve data from an Application Insights application though, Log Analytics doesn't recognize the timestamp column in the filter, and the time picker remains unchanged. 在这种情况下,会应用这两个筛选器。In this case, both filters are applied. 在该示例中,即使查询在 where 子句中指定了 7 天,它也只包含过去 24 小时创建的记录。In the example, only records created in the last 24 hours are included in the query even though it specifies 7 days in the where clause.

使用 app 的查询

后续步骤Next steps