Azure Monitor 日志中的搜索查询Search queries in Azure Monitor logs

Azure Monitor 日志查询可以从表名或 search 命令开始。Azure Monitor log queries can start with either a table name or a search command. 本教程介绍基于搜索的查询。This tutorial covers search-based queries. 每种方法各有优势。There are advantages to each method.

基于表的查询首先限定查询范围,因此往往比搜索查询更加高效。Table-based queries start by scoping the query and therefore tend to be more efficient than search queries. 搜索查询的结构化程度不高,因此,在跨列或表搜索特定的值时,它是更好的选择。Search queries are less structured which makes them the better choice when searching for a specific value across columns or tables. 搜索可以在给定表或所有表的所有列中扫描指定的值。search can scan all columns in a given table, or in all tables, for the specified value. 处理的数据量可能十分巨大,正因如此,这些查询可能需要更长的时间才能完成,并且可能返回极大的结果集。The amount of data being processed could be enormous, which is why these queries could take longer to complete and might return very large result sets.

搜索词语Search a term

search 命令通常用于搜索特定的词语。The search command is typically used to search a specific term. 以下示例在所有表的所有列中扫描词语“error”:In the following example, all columns in all tables are scanned for the term "error":

search "error"
| take 100

如上所示的无范围查询尽管用法简单,但并不高效,且可能返回大量不相关的结果。While they're easy to use, unscoped queries like the one showed above are not efficient and are likely to return many irrelevant results. 更好的做法是在相关表甚至特定的列中执行搜索。A better practice would be to search in the relevant table, or even a specific column.

表范围限定Table scoping

若要在特定的表中搜索某个词语,请紧靠在 search 运算符的后面添加 in (table-name)To search a term in a specific table, add in (table-name) just after the search operator:

search in (Event) "error"
| take 100

或者在多个表中:or in multiple tables:

search in (Event, SecurityEvent) "error"
| take 100

表和列范围限定Table and column scoping

默认情况下,search 将评估数据集中的所有列。By default, search will evaluate all columns in the data set. 如果只想搜索特定的列,请使用以下语法:To search only a specific column, use this syntax:

search in (Event) Source:"error"
| take 100

Tip

如果使用 == 而不是 :,则结果将包含如下所述的记录:其中的 Source 列包含确切值“error”(大小写完全与此相同)。If you use == instead of :, the results would include records in which the Source column has the exact value "error", and in this exact case. 使用“:”将包括其 Source 具有“错误代码 404”或“错误”等值的记录。Using ':' will include records where Source has values such as "error code 404" or "Error".

区分大小写Case-sensitivity

默认情况下,词语搜索不区分大小写,因此,搜索“dns”可能会产生“DNS”、“dns”或“Dns”等结果。By default, term search is case-insensitive, so searching "dns" could yield results such as "DNS", "dns", or "Dns". 若要执行区分大小写的搜索,请使用 kind 选项:To make the search case-sensitive, use the kind option:

search kind=case_sensitive in (Event) "DNS"
| take 100

使用通配符Use wild cards

search 命令支持在词语的开头、末尾或中间使用通配符。The search command supports wild cards, at the beginning, end or middle of a term.

若要搜索以“win”开头的词语:To search terms that start with "win":

search in (Event) "win*"
| take 100

若要搜索以“.com”结尾的词语:To search terms that end with ".com":

search in (Event) "*.com"
| take 100

若要搜索包含“www”的词语:To search terms that contain "www":

search in (Event) "*www*"
| take 100

若要搜索词以“corp”开头、以“.com”结尾的词语(例如“corp.mydomain.com”)To search terms that starts with "corp" and ends in ".com", such as "corp.mydomain.com""

search in (Event) "corp*.com"
| take 100

此外,可以只使用通配符来获取表中的所有内容:search in (Event) *,但结果与只是编写 Event 相同。You can also get everything in a table by using just a wild card: search in (Event) *, but that would be the same as writing just Event.

Tip

尽管可以使用 search * 来获取每个表中的每个列,但我们建议始终将查询范围限定为特定的表。While you can use search * to get every column from every table, it's recommended that you always scope your queries to specific tables. 无范围查询可能需要花费一段时间才能完成,并且可能返回过多的结果。Unscoped queries may take a while to complete and might return too many results.

and / or 添加到搜索查询Add and / or to search queries

使用 and 可以搜索包含多个词语的记录:Use and to search for records that contain multiple terms:

search in (Event) "error" and "register"
| take 100

使用 or 可以获取至少包含一个词语的记录:Use or to get records that contain at least one of the terms:

search in (Event) "error" or "register"
| take 100

如果有多个搜索条件,可以使用括号将其合并到同一个查询:If you have multiple search conditions, you can combine them into the same query using parentheses:

search in (Event) "error" and ("register" or "marshal*")
| take 100

此示例的结果是既包含词语“error”,也包含“register”或者以“marshal”开头的内容的记录。The results of this example would be records that contain the term "error" and also contain either "register" or something that starts with "marshal".

使用竖线分隔搜索查询Pipe search queries

与其他任何命令一样,可以使用竖线分隔 search,以便可以筛选、排序和聚合搜索结果。Just like any other command, search can be piped so search results can be filtered, sorted, and aggregated. 例如,若要获取包含“win”的 Event 记录数:For example, to get the number of Event records that contain "win":

search in (Event) "win"
| count

后续步骤Next steps