用于 Azure Monitor 日志查询的资源管理器模板示例
本文包含用于在 Azure Monitor 中创建和配置日志查询的 Azure 资源管理器模板示例。 每个示例都包含模板文件和参数文件,其中包含要提供给模板的示例值。
注意
有关可用示例的列表以及在 Azure 订阅中部署这些示例的指南,请参阅 Azure Monitor 的 Azure 资源管理器示例。
模板参考
简单日志查询
以下示例会将日志查询添加到 Log Analytics 工作区。
模板文件
@description('The name of the workspace.')
param workspaceName string
@description('The location of the resources.')
param location string = resourceGroup().location
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
name: workspaceName
location: location
}
resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
parent: workspace
name: 'VMSS query'
properties: {
etag: '*'
displayName: 'VMSS Instance Count'
category: 'VMSS'
query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
version: 1
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"location": {
"value": "chinaeast2"
}
}
}
函数形式的日志查询
以下示例会将日志查询作为函数添加到 Log Analytics 工作区。
模板文件
@description('The name of the workspace.')
param workspaceName string
@description('The location of the resources.')
param location string = resourceGroup().location
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
name: workspaceName
location: location
}
resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
parent: workspace
name: 'VMSS query'
properties: {
etag: '*'
displayName: 'VMSS Instance Count'
category: 'VMSS'
query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
version: 1
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"location": {
"value": "chinaeast2"
}
}
}
参数化函数
以下示例会将日志查询作为使用参数的函数添加到 Log Analytics 工作区。 它还会添加第二个使用参数化函数的日志查询。
注意
资源模板是目前唯一可用于参数化函数的方法。 一旦将函数安装到工作区中,任何日志查询都可以使用该函数。
模板文件
param workspaceName string
param location string
resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
name: workspaceName
location: location
}
resource parameterizedFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
parent: workspace
name: 'Parameterized function'
properties: {
etag: '*'
displayName: 'Unavailable computers function'
category: 'Samples'
functionAlias: 'UnavailableComputers'
functionParameters: 'argSpan: timespan'
query: ' Heartbeat | summarize LastHeartbeat=max(TimeGenerated) by Computer| where LastHeartbeat < ago(argSpan)'
}
}
resource queryUsingFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
parent: workspace
name: 'Query using function'
properties: {
etag: '*'
displayName: 'Unavailable computers'
category: 'Samples'
query: 'UnavailableComputers(7days)'
}
}
参数文件
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspaceName": {
"value": "MyWorkspace"
},
"location": {
"value": "chinaeast2"
}
}
}