在 Azure Monitor(预览版)的 Log Analytics 工作区中创建自定义字段Create custom fields in a Log Analytics workspace in Azure Monitor (Preview)

备注

本文介绍如何在收集 Log Analytics 工作区时解析文本数据。This article describes how to parse text data in a Log Analytics workspace as it's collected. 我们建议按照在 Azure Monitor 中分析文本数据中所述的指南,收集数据后在查询筛选器中分析文本数据。We recommend parsing text data in a query filter after it's collected following the guidance described in Parse text data in Azure Monitor. 与使用自定义字段相比,它提供了几个优点。It provides several advantages over using custom fields.

重要

自定义字段增加了 Log Analytics 工作区中收集的数据量,这可能会增加成本。Custom fields increases the amount of data collected in the Log Analytics workspace which can increase your cost. 有关详细信息,请参阅通过 Azure Monitor 日志管理使用情况和成本See Manage usage and costs with Azure Monitor Logs for details.

Azure Monitor 的自定义字段功能使你可以通过添加自己的可搜索字段来扩展 Log Analytics 工作区中的现有记录。The Custom Fields feature of Azure Monitor allows you to extend existing records in your Log Analytics workspace by adding your own searchable fields. 自定义字段会自动填充,填充的数据从同一记录的其他属性中提取。Custom fields are automatically populated from data extracted from other properties in the same record.

概述

例如,以下示例记录的事件描述中隐藏着有用记录。For example, the sample record below has useful data buried in the event description. 将此数据提取到单独的属性中,就可以在排序和筛选等操作中对其进行使用。Extracting this data into a separate property makes it available for such actions as sorting and filtering.

示例提取

备注

在预览版的工作区中,限制使用 100 个自定义字段。In the Preview, you are limited to 100 custom fields in your workspace. 正式发布此功能时,会扩展该限制。This limit will be expanded when this feature reaches general availability.

创建自定义字段Creating a custom field

创建自定义字段时,Log Analytics 必须了解应该使用哪些数据填充其值。When you create a custom field, Log Analytics must understand which data to use to populate its value. 将使用由 Microsoft Research 开发的 FlashExtract 技术来快速找出此数据。It uses a technology from Microsoft Research called FlashExtract to quickly identify this data. 不需要你提供确切说明,Azure Monitor 就会获知要从所提供示例中提取的数据。Rather than requiring you to provide explicit instructions, Azure Monitor learns about the data you want to extract from examples that you provide.

以下各节提供了创建自定义字段的步骤。The following sections provide the procedure for creating a custom field. 本文末尾部分提供了示例提取的演练。At the bottom of this article is a walkthrough of a sample extraction.

备注

将匹配指定条件的记录添加到 Log Analytics 工作区时,会填充自定义字段,因此它将仅显示在创建自定义字段后收集的记录上。The custom field is populated as records matching the specified criteria are added to the Log Analytics workspace, so it will only appear on records collected after the custom field is created. 创建自定义字段时,不会将该字段添加到数据存储中已存在的记录中。The custom field will not be added to records that are already in the data store when it’s created.

步骤 1 – 确定将具有自定义字段的记录Step 1 - Identify records that will have the custom field

第一步是确定会获得自定义字段的记录。The first step is to identify the records that will get the custom field. 首先执行标准日志查询,然后选择要充当模型的记录,Azure Monitor 将通过该模型进行学习。You start with a standard log query and then select a record to act as the model that Azure Monitor will learn from. 当指定要将数据提取到自定义字段中时,“字段提取向导”会打开,可以在其中验证和优化条件。When you specify that you are going to extract data into a custom field, the Field Extraction Wizard is opened where you validate and refine the criteria.

  1. 转到“日志”,然后使用查询来检索记录(将具有自定义字段的记录)。Go to Logs and use a query to retrieve the records that will have the custom field.
  2. 选择 Log Analytics 将用作模型的记录,以便 Log Analytics 学习如何提取要填充到自定义字段中的数据。Select a record that Log Analytics will use to act as a model for extracting data to populate the custom field. 确定要从该记录中提取的数据,然后 Log Analytics 将使用此信息为所有类似记录确定自定义字段的填充逻辑。You will identify the data that you want to extract from this record, and Log Analytics will use this information to determine the logic to populate the custom field for all similar records.
  3. 展开记录属性,单击该记录的顶部属性左侧的省略号,然后选择“字段提取自”。Expand the record properties, click the ellipse to the left of the top property of the record, and select Extract fields from.
  4. 将打开“字段提取向导”,所选记录会显示在“主示例”列中。The Field Extraction Wizard is opened, and the record you selected is displayed in the Main Example column. 将为所选属性中具有相同值的记录定义自定义字段。The custom field will be defined for those records with the same values in the properties that are selected.
  5. 如果所选内容不完全是所需要的,可选择其他字段来缩小条件范围。If the selection is not exactly what you want, select additional fields to narrow the criteria. 要更改条件的字段值,必须先取消,然后选择匹配所需条件的其他记录。In order to change the field values for the criteria, you must cancel and select a different record matching the criteria you want.

步骤 2 - 执行初始提取。Step 2 - Perform initial extract.

在完成确定将具有自定义字段的记录后,请确定要提取的数据。Once you’ve identified the records that will have the custom field, you identify the data that you want to extract. Log Analytics 将使用此信息在类似记录中确定类似模式。Log Analytics will use this information to identify similar patterns in similar records. 在下一个步骤中,将可以验证结果,并提供更多详细信息供 Log Analytics 在其分析中使用。In the step after this you will be able to validate the results and provide further details for Log Analytics to use in its analysis.

  1. 突出显示示例记录中要用于填充自定义字段的文本。Highlight the text in the sample record that you want to populate the custom field. 然后会显示一个对话框,用于命名字段和设置字段的数据类型,以及执行初始提取。You will then be presented with a dialog box to provide a name and data type for the field and to perform the initial extract. 将自动附加字符 _CFThe characters _CF will automatically be appended.
  2. 单击“提取”以执行已收集记录的分析。Click Extract to perform an analysis of collected records.
  3. “摘要”和“搜索结果”部分会显示提取的结果,使你可以检查提取的准确性。The Summary and Search Results sections display the results of the extract so you can inspect its accuracy. “摘要”显示用于确定记录的条件以及已确定的每个数据值的计数。Summary displays the criteria used to identify records and a count for each of the data values identified. “搜索结果”提供匹配条件的记录的详细列表。Search Results provides a detailed list of records matching the criteria.

步骤 3 - 验证提取的准确性并创建自定义字段Step 3 - Verify accuracy of the extract and create custom field

完成执行初始提取后,Log Analytics 将基于已收集的数据显示提取结果。Once you have performed the initial extract, Log Analytics will display its results based on data that has already been collected. 如果觉得结果准确,可以创建自定义字段(无需进行更多工作)。If the results look accurate then you can create the custom field with no further work. 如果结果不准确,可以优化结果,以便 Log Analytics 可以改善其逻辑。If not, then you can refine the results so that Log Analytics can improve its logic.

  1. 如果初始提取中的任何值都不正确,可以单击不准确记录旁边的“编辑”图标,并选择“修改此突出显示”修改所选项。If any values in the initial extract aren’t correct, then click the Edit icon next to an inaccurate record and select Modify this highlight in order to modify the selection.
  2. 会将该条目复制到“主示例”下方的“其他示例”部分。The entry is copied to the Additional examples section underneath the Main Example. 若要帮助 Log Analytics 了解它应做的选择,可以在此处调整突出显示。You can adjust the highlight here to help Log Analytics understand the selection it should have made.
  3. 单击“提取”即可使用此新信息评估现有的所有记录。Click Extract to use this new information to evaluate all the existing records. 基于这个新智能,可以为刚刚修改之外的记录修改结果。The results may be modified for records other than the one you just modified based on this new intelligence.
  4. 继续添加修正,直到提取中的所有记录都正确标识要用于填充新自定义字段的数据。Continue to add corrections until all records in the extract correctly identify the data to populate the new custom field.
  5. 如果对结果满意,请单击“保存提取”。Click Save Extract when you are satisfied with the results. 自定义字段现已定义,但它还不会添加到任何记录。The custom field is now defined, but it won’t be added to any records yet.
  6. 等待收集匹配指定条件的新记录,再次运行日志搜索。Wait for new records matching the specified criteria to be collected and then run the log search again. 新记录应具有自定义字段。New records should have the custom field.
  7. 像任何其他记录属性一样使用自定义字段。Use the custom field like any other record property. 可以将它用于聚合和分组数据,甚至可以将它用于生成新的见解。You can use it to aggregate and group data and even use it to produce new insights.

查看自定义字段Viewing custom fields

可以在 Azure 门户中通过 Log Analytics 工作区的“高级设置”菜单,查看管理组中的所有自定义字段的列表。You can view a list of all custom fields in your management group from the Advanced Settings menu of your Log Analytics workspace in the Azure portal. 依次选择“数据”、“自定义字段”就可以获取工作区中所有自定义字段的列表。Select Data and then Custom fields for a list of all custom fields in your workspace.

自定义字段

删除自定义字段Removing a custom field

有两种方法可以删除自定义字段。There are two ways to remove a custom field. 第一种方法是在查看上述完整列表时,对每个字段使用“删除”选项。The first is the Remove option for each field when viewing the complete list as described above. 另一种方法是检索记录,并单击字段左侧的按钮。The other method is to retrieve a record and click the button to the left of the field. 菜单中将有一个选项可用于删除自定义字段。The menu will have an option to remove the custom field.

示例演练Sample walkthrough

以下部分演示创建自定义字段的完整示例。The following section walks through a complete example of creating a custom field. 此示例会提取指示服务更改状态的 Windows 事件中的服务名称。This example extracts the service name in Windows events that indicate a service changing state. 这依赖于服务控制管理器在 Windows 计算机上启动系统期间创建的事件。This relies on events created by Service Control Manager during system startup on Windows computers. 如果想要遵循此示例,必须收集系统日志的信息事件If you want to follow this example, you must be collecting Information events for the System log.

我们输入以下查询从服务控制管理器中返回事件 ID 为 7036 的所有事件(即指示服务启动或停止的事件)。We enter the following query to return all events from Service Control Manager that have an Event ID of 7036 which is the event that indicates a service starting or stopping.

查询

然后,我们选择并展开事件 ID 为 7036 的任一记录。We then select and expand any record with event ID 7036.

源记录

我们通过单击顶部属性旁白的省略号来定义自定义字段。We define custom fields by clicking the ellipse next to the top property.

提取字段

将打开“字段提取向导”,请在“主示例”列中选择 EventLogEventID 这两个字段。The Field Extraction Wizard is opened, and the EventLog and EventID fields are selected in the Main Example column. 这表示将为系统日志中事件 ID 为 7036 的事件定义自定义字段。This indicates that the custom field will be defined for events from the System log with an event ID of 7036. 这已够用,因此我们不需要选择任何其他字段。This is sufficient so we don’t need to select any other fields.

主示例

我们突出显示 RenderedDescription 属性中的服务的名称,并使用 Service 标识服务名称。We highlight the name of the service in the RenderedDescription property and use Service to identify the service name. 自定义字段将称为 Service_CFThe custom field will be called Service_CF. 在此示例中,字段类型为字符串,因此可以保留该字段,不做任何更改。The field type in this case is a string, so we can leave that unchanged.

字段标题

我们会看到:对于某些记录,已正确标识服务名称;但对于其他记录,则并未正确标识服务名称。We see that the service name is identified properly for some records but not for others. “搜索结果”显示:未选择“WMI 性能适配器”的部分名称。The Search Results show that part of the name for the WMI Performance Adapter wasn’t selected. “摘要”显示一条记录识别了“模块安装程序” 而不是“Windows 模块安装程序”。The Summary shows that one record identified Modules Installer instead of Windows Modules Installer.

搜索结果

我们从“WMI 性能适配器”记录开始。We start with the WMI Performance Adapter record. 单击该记录的编辑图标,并单击“修改此突出显示”。We click its edit icon and then Modify this highlight.

修改突出显示

我们会增加突出显示以包括单词 WMI,并重新运行该提取。We increase the highlight to include the word WMI and then rerun the extract.

其他示例

我们可以看到:“WMI 性能适配器”的条目已得到修正,Log Analytics 也使用该信息来修正“Windows 模块安装程序”的记录。We can see that the entries for WMI Performance Adapter have been corrected, and Log Analytics also used that information to correct the records for Windows Module Installer.

搜索结果

我们现在可以运行一个查询来验证 Service_CF 已创建,但尚未添加到任何记录中。We can now run a query that verifies Service_CF is created but is not yet added to any records. 这是因为自定义字段不能使用现有的记录,因此我们需等待系统收集新记录。That's because the custom field doesn't work against existing records so we need to wait for new records to be collected.

初始计数

一段时间过后,新事件已完成收集,可以看到 Service_CF 字段现已添加到与条件匹配的记录中。After some time has passed so new events are collected, we can see that the Service_CF field is now being added to records that match our criteria.

最终结果

现在,我们可以像任何其他记录属性一样使用自定义字段。We can now use the custom field like any other record property. 为了说明这一点,我们会创建按新的 Service_CF 字段分组的查询,来检查哪些服务最活跃。To illustrate this, we create a query that groups by the new Service_CF field to inspect which services are the most active.

按查询分组

后续步骤Next steps