有关在 Azure 门户中使用这些查询的信息,请参阅 Log Analytics 教程。 有关 REST API,请参阅查询。
获取最活跃的通信者
在定义的时间段内列出 10 个顶级演讲者。
let startTime = ago(2h);
let endTime = ago(1h);
let num_toptalkers = 10; // Amount of top talker 5Tuples. Change this value to display a different number of items
let tuple = "5";
let ipfixData = ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 3tuple = strcat("SrcIP:", SourceIp, " DestIP:", DestinationIp, " Protocol:", Protocol),
5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096 // Calculation to determine amount of circuit bandwidth used. This adds the number of payload bytes to the number of header bytes, then multiplies by 4096, the sampling rate used by ERTC
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, 3tuple, Flowsequence
| extend tuple = iff(tuple == "3", 3tuple, 5tuple);
let topTalkersBy3Tuple = ipfixData
| summarize sum(TotalBytes) by tuple
| order by sum_TotalBytes desc
| take num_toptalkers; // 10 top talkers
topTalkersBy3Tuple
| join kind=inner (
ipfixData
| summarize sum(TotalBytes) by bin(FlowRecordTime, 5m), tuple
) on $left.tuple == $right.tuple
| extend TotalBytes = sum_TotalBytes1
| project-away sum_TotalBytes, sum_TotalBytes1, tuple1
| render columnchart with(kind=unstacked)
按源端口和目标端口获取主要通信者
列出在定义时间段内基于源端口和目标端口的前 10 个主要通信者。
let startTime = ago(2h);
let endTime = ago(1h);
let num_toptalkers = 10;
let portType = "Source"; // Change to "Dest" for destination port based query
let data = ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096 // Calculation to determine amount of circuit bandwidth used. This adds the number of payload bytes to the number of header bytes, then multiplies by 4096, the sampling rate used by ERTC
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, SourcePort, DestinationPort, Flowsequence
| extend port = iff(portType == "Source", SourcePort, DestinationPort);
let topTalkers = data
| summarize sum(TotalBytes) by port // Find top talkers port
| order by sum_TotalBytes desc
| take num_toptalkers; // 10 top talkers
topTalkers
| join kind=inner (
data
| summarize sum(TotalBytes) by bin(FlowRecordTime, 5m), port
) on $left.port == $right.port
| extend TotalBytes = sum_TotalBytes1, Port = strcat("Port:", port1)
| project-away sum_TotalBytes, sum_TotalBytes1, port, port1
| render columnchart with(kind=unstacked)
获取总带宽使用量
获取指定时间范围内使用的总带宽的报告。
let startTime = ago(2h);
let endTime = ago(1h);
ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, Flowsequence
| summarize sum(TotalBytes) by bin(FlowRecordTime, 1m)
| extend TotalGB = toint(sum_TotalBytes / 1024 / 1024 / 1024) // Converting bytes to gigabytes
| project-away sum_TotalBytes
| render columnchart