用于 Azure Monitor 日志查询的资源管理器模板示例

  • 项目

本文包含用于在 Azure Monitor 中创建和配置日志查询的 Azure 资源管理器模板示例。 每个示例都包含模板文件和参数文件,其中包含要提供给模板的示例值。

注意

有关可用示例的列表以及在 Azure 订阅中部署这些示例的指南,请参阅 Azure Monitor 的 Azure 资源管理器示例

模板参考

简单日志查询

以下示例会将日志查询添加到 Log Analytics 工作区。

模板文件

@description('The name of the workspace.')
param workspaceName string

@description('The location of the resources.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'VMSS query'
  properties: {
    etag: '*'
    displayName: 'VMSS Instance Count'
    category: 'VMSS'
    query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
    version: 1
  }
}

参数文件

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "chinaeast2"
    }
  }
}

函数形式的日志查询

以下示例会将日志查询作为函数添加到 Log Analytics 工作区。

模板文件

@description('The name of the workspace.')
param workspaceName string

@description('The location of the resources.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'VMSS query'
  properties: {
    etag: '*'
    displayName: 'VMSS Instance Count'
    category: 'VMSS'
    query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
    version: 1
  }
}

参数文件

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "chinaeast2"
    }
  }
}

参数化函数

以下示例会将日志查询作为使用参数的函数添加到 Log Analytics 工作区。 它还会添加第二个使用参数化函数的日志查询。

注意

资源模板是目前唯一可用于参数化函数的方法。 一旦将函数安装到工作区中,任何日志查询都可以使用该函数。

模板文件

param workspaceName string
param location string

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource parameterizedFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'Parameterized function'
  properties: {
    etag: '*'
    displayName: 'Unavailable computers function'
    category: 'Samples'
    functionAlias: 'UnavailableComputers'
    functionParameters: 'argSpan: timespan'
    query: ' Heartbeat | summarize LastHeartbeat=max(TimeGenerated) by Computer| where LastHeartbeat < ago(argSpan)'
  }
}

resource queryUsingFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'Query using function'
  properties: {
    etag: '*'
    displayName: 'Unavailable computers'
    category: 'Samples'
    query: 'UnavailableComputers(7days)'
  }
}

参数文件

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "chinaeast2"
    }
  }
}

后续步骤