Kueri untuk tabel AzureDiagnostics
Kueri untuk microsoft.automation
Kesalahan dalam pekerjaan otomatisasi
Temukan kesalahan pelaporan log dalam pekerjaan otomatisasi dari hari terakhir.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION"
| where StreamType_s == "Error"
| project TimeGenerated, Category, JobId_g, OperationName, RunbookName_s, ResultDescription
Menemukan kesalahan pelaporan log dalam pekerjaan otomatisasi dari hari terakhir
Cantumkan semua kesalahan dalam pekerjaan otomatisasi.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION"
| where StreamType_s == "Error"
| project TimeGenerated, Category, JobId_g, OperationName, RunbookName_s, ResultDescription, _ResourceId
Azure Automation pekerjaan yang gagal, ditangguhkan, atau dihentikan
Cantumkan semua pekerjaan otomatisasi yang gagal, ditangguhkan atau dihentikan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and (ResultType == "Failed" or ResultType == "Stopped" or ResultType == "Suspended")
| project TimeGenerated , RunbookName_s , ResultType , _ResourceId , JobId_g
Runbook berhasil diselesaikan dengan kesalahan
Mencantumkan semua pekerjaan yang selesai dengan kesalahan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobStreams" and StreamType_s == "Error"
| project TimeGenerated , RunbookName_s , StreamType_s , _ResourceId , ResultDescription , JobId_g
Lihat status riwayat pekerjaan
Mencantumkan semua pekerjaan otomatisasi.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and ResultType != "started"
| summarize AggregatedValue = count() by ResultType, bin(TimeGenerated, 1h) , RunbookName_s , JobId_g, _ResourceId
Azure Automation pekerjaan yang Selesai
Cantumkan semua pekerjaan otomatisasi yang telah selesai.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and ResultType == "Completed"
| project TimeGenerated , RunbookName_s , ResultType , _ResourceId , JobId_g
Kueri untuk microsoft.batch
Tugas yang berhasil per pekerjaan
Menyediakan jumlah tugas yang berhasil per pekerjaan.
AzureDiagnostics
| where OperationName=="TaskCompleteEvent"
| where executionInfo_exitCode_d==0 // Your application may use an exit code other than 0 to denote a successful operation
| summarize successfulTasks=count(id_s) by jobId=jobId_s
Tugas yang gagal per pekerjaan
Lists tugas yang gagal oleh pekerjaan induk.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where OperationName=="TaskFailEvent"
| summarize failedTaskList=make_list(id_s) by jobId=jobId_s, ResourceId
Durasi tugas
Memberikan waktu tugas yang berlalu dalam hitungan detik, dari tugas mulai hingga tugas selesai.
AzureDiagnostics
| where OperationName=="TaskCompleteEvent"
| extend taskId=id_s, ElapsedTime=datetime_diff('second', executionInfo_endTime_t, executionInfo_startTime_t) // For longer running tasks, consider changing 'second' to 'minute' or 'hour'
| summarize taskList=make_list(taskId) by ElapsedTime
Mengubah ukuran kumpulan
Mencantumkan waktu perubahan ukuran menurut kumpulan dan kode hasil (berhasil atau gagal).
AzureDiagnostics
| where OperationName=="PoolResizeCompleteEvent"
| summarize operationTimes=make_list(startTime_s) by poolName=id_s, resultCode=resultCode_s
Kegagalan pengurangan ukuran kumpulan
Mencantumkan perubahan ukuran kumpulan kegagalan berdasarkan kode kesalahan dan waktu.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where OperationName=="PoolResizeCompleteEvent"
| where resultCode_s=="Failure" // Filter only on failed pool resizes
| summarize by poolName=id_s, resultCode=resultCode_s, resultMessage=resultMessage_s, operationTime=startTime_s, ResourceId
Kueri untuk microsoft.cdn
[Microsoft CDN (klasik)] Permintaan per jam
Bagan garis render memperlihatkan total permintaan per jam.
// Summarize number of requests per hour
// Change bins resolution from 1hr to 5m to get real time results)
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog"
| where isReceivedFromClient_b == "true"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Resource, _ResourceId
| render timechart
[Microsoft CDN (klasik)] Lalu lintas menurut URL
Perlihatkan jalan keluar dari tepi CDN menurut URL.
// Change bins resolution from 1 hour to 5 minutes to get real time results)
// CDN edge response traffic by URL
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog"
| where isReceivedFromClient_b == true
| summarize ResponseBytes = sum(toint(responseBytes_s)) by requestUri_s
[Microsoft CDN (klasik)] Tingkat kesalahan 4XX berdasarkan URL
Tampilkan tingkat kesalahan 4XX berdasarkan URL.
// Request errors rate by URL
// Count number of requests with error responses by URL.
// Summarize number of requests by URL, and status codes are 4XX
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog" and isReceivedFromClient_b == true
| extend Is4XX = (toint(httpStatusCode_s ) >= 400 and toint(httpStatusCode_s ) < 500)
| summarize 4xxrate = (1.0 * countif(Is4XX) / count()) * 100 by requestUri_s, bin(TimeGenerated, 1h), _ResourceId
[Microsoft CDN (klasik)] Meminta kesalahan oleh agen pengguna
Hitung jumlah permintaan dengan respons kesalahan oleh agen pengguna.
// Summarize number of requests per user agent and status codes >= 400
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog"
| where isReceivedFromClient_b == true
| where toint(httpStatusCode_s) >= 400
| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource, _ResourceId
| order by RequestCount desc
[Microsoft CDN (klasik)] Jumlah permintaan 10 URL teratas
Tampilkan 10 URL teratas menurut jumlah permintaan.
// top URLs by request count
// Render line chart showing total requests per hour .
// Summarize number of requests per hour
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog"
| where isReceivedFromClient_b == true
| summarize UserRequestCount = count() by requestUri_s
| order by UserRequestCount
| limit 10
[Microsoft CDN (klasik)] Jumlah permintaan IP unik
Tampilkan Jumlah permintaan IP unik.
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write"and Category == "AzureCdnAccessLog"
| where isReceivedFromClient_b == true
| summarize dcount(clientIp_s) by bin(TimeGenerated, 1h)
| render timechart
[Microsoft CDN (klasik)] 10 IP klien dan versi HTTP teratas
Tampilkan 10 IP klien dan versi http teratas.
// Top 10 client IPs and http versions
// Show top 10 client IPs and http versions.
// Summarize top 10 client ips and http versions
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog"
| where isReceivedFromClient_b == true
| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource
| top 10 by RequestCount
| order by RequestCount desc
[Azure Front Door Standard/Premium] 20 klien terblokir teratas berdasarkan IP dan aturan
Tampilkan 20 klien teratas yang diblokir berdasarkan IP dan nama aturan.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize RequestCount = count() by ClientIP = clientIP_s, UserAgent = userAgent_s, RuleName = ruleName_s,Resource
| top 20 by RequestCount
| order by RequestCount desc
[Azure Front Door Standard/Premium] Permintaan untuk asal berdasarkan rute
Hitung jumlah permintaan untuk setiap rute dan asal per menit. Ringkas jumlah permintaan per menit untuk setiap rute dan asal.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize RequestCount = count() by bin(TimeGenerated, 1m), Resource, RouteName = routingRuleName_s, originName = originName_s, ResourceId
[Azure Front Door Standard/Premium] Meminta kesalahan oleh agen pengguna
Hitung jumlah permintaan dengan respons kesalahan oleh agen pengguna. Ringkas jumlah permintaan per agen pengguna dan kode >status = 400.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| where toint(httpStatusCode_s) >= 400
| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource, ResourceId
| order by RequestCount desc
[Azure Front Door Standard/Premium] 10 IP klien dan versi http teratas
Tampilkan 10 IP klien teratas dan versi http menurut jumlah permintaan.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource
|top 10 by RequestCount
| order by RequestCount desc
[Azure Front Door Standard/Premium] Meminta kesalahan menurut host dan jalur
Hitung jumlah permintaan dengan respons kesalahan menurut host dan jalur. Ringkas jumlah permintaan menurut kode >host, jalur, dan status = 400.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| where toint(httpStatusCode_s) >= 400
| extend ParsedUrl = parseurl(requestUri_s)
| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), StatusCode = httpStatusCode_s, ResourceId
| order by RequestCount desc
[Azure Front Door Standard/Premium] Jumlah permintaan yang diblokir firewall per jam
Hitung jumlah permintaan yang diblokir firewall per jam. Ringkas jumlah permintaan firewall yang diblokir per jam berdasarkan kebijakan.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Policy = policy_s, PolicyMode = policyMode_s, Resource, ResourceId
| order by RequestCount desc
[Azure Front Door Standard/Premium] Jumlah permintaan firewall menurut host, jalur, aturan, dan tindakan
Hitung permintaan yang diproses firewall berdasarkan host, jalur, aturan, dan tindakan yang diambil. Meringkas jumlah permintaan menurut host, jalur, aturan, dan tindakan.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
| extend ParsedUrl = parseurl(requestUri_s)
| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), RuleName = ruleName_s, Action = action_s, ResourceId
| order by RequestCount desc
[Azure Front Door Standard/Premium] Permintaan per jam
Bagan garis render memperlihatkan total permintaan per jam untuk setiap sumber daya FrontDoor.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Resource, ResourceId
| render timechart
[Azure Front Door Standard/Premium] Jumlah permintaan 10 URL teratas
Tampilkan 10 URL teratas menurut jumlah permintaan.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize UserRequestCount = count() by requestUri_s
| order by UserRequestCount
| limit 10
[Azure Front Door Standard/Premium] Jumlah permintaan 10 URL teratas
Tampilkan jalan keluar dari tepi AFD menurut URL. Ubah resolusi bin dari 1 jam ke 5m untuk mendapatkan hasil real time.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize ResponseBytes = sum(toint(responseBytes_s)) by requestUri_s
[Azure Front Door Standard/Premium] Jumlah permintaan IP unik
Tampilkan jumlah permintaan IP unik.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize dcount(clientIp_s) by bin(TimeGenerated, 1h)
| render timechart
Kueri untuk microsoft.containerservice
Temukan Di AzureDiagnostics
Temukan di AzureDiagnostics untuk mencari nilai tertentu dalam tabel AzureDiagnostics./nNote bahwa kueri ini memerlukan pembaruan <parameter SeachValue> untuk menghasilkan hasil
// This query requires a parameter to run. Enter value in SearchValue to find in table.
let SearchValue = "<SearchValue>";//Please update term you would like to find in the table.
AzureDiagnostics
| where ResourceProvider == "Microsoft.ContainerService"
| where * contains tostring(SearchValue)
| take 1000
Kueri untuk microsoft.dbformariadb
Waktu eksekusi melebihi ambang batas
Identifikasi kueri bahwa durasinya melebihi 10 detik.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB"
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s, ResourceId
| where query_time_d > 10 // You may change the time threshold
Perlihatkan kueri Paling Lambat
Identifikasi 5 kueri paling lambat teratas.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB"
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s
| top 5 by query_time_d desc
Perlihatkan statistik Kueri
Buat tabel statistik ringkasan menurut kueri.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB"
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s
| summarize count(), min(query_time_d), max(query_time_d), avg(query_time_d), stdev(query_time_d), percentile(query_time_d, 95) by LogicalServerName_s ,sql_text_s
| top 50 by percentile_query_time_d_95 desc
Meninjau peristiwa log audit di kelas GENERAL
Identifikasi peristiwa kelas umum untuk server Anda.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB"
| where Category == 'MySqlAuditLogs' and event_class_s == "general_log"
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
| order by TimeGenerated asc
Meninjau peristiwa log audit di kelas CONNECTION
Identifikasi peristiwa terkait koneksi untuk server Anda.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB"
| where Category == 'MySqlAuditLogs' and event_class_s == "connection_log"
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
| order by TimeGenerated asc
Kueri untuk microsoft.dbformysql
Waktu eksekusi melebihi ambang batas
Identifikasi kueri bahwa durasinya melebihi 10 detik.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORMYSQL"
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s, ResourceId
| where query_time_d > 10 //You may change the time threshold
Perlihatkan kueri Paling Lambat
Identifikasi 5 kueri paling lambat teratas.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORMYSQL"
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s
| top 5 by query_time_d desc
Perlihatkan statistik Kueri
Buat tabel statistik ringkasan menurut kueri.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORMYSQL"
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s
| summarize count(), min(query_time_d), max(query_time_d), avg(query_time_d), stdev(query_time_d), percentile(query_time_d, 95) by LogicalServerName_s ,sql_text_s
| top 50 by percentile_query_time_d_95 desc
Meninjau peristiwa log audit di kelas GENERAL
Identifikasi peristiwa kelas umum untuk server Anda.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMYSQL"
| where Category == 'MySqlAuditLogs' and event_class_s == "general_log"
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
| order by TimeGenerated asc
Meninjau peristiwa log audit di kelas CONNECTION
Identifikasi peristiwa terkait koneksi untuk server Anda.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMYSQL"
| where Category == 'MySqlAuditLogs' and event_class_s == "connection_log"
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s
| order by TimeGenerated asc
Kueri untuk microsoft.dbforpostgresql
Peristiwa autovacuum
Cari peristiwa autovacuum selama 24 jam terakhir. Ini memerlukan parameter 'log_autovacuum_min_duration' diaktifkan.
AzureDiagnostics
| where TimeGenerated > ago(1d)
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL"
| where Category == "PostgreSQLLogs"
| where Message contains "automatic vacuum"
Menghidupkan ulang server
Cari peristiwa server matikan dan server siap.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL"
| where Category == "PostgreSQLLogs"
| where Message contains "database system was shut down at" or Message contains "database system is ready to accept"
Temukan Kesalahan
Cari kesalahan dalam 6 jam terakhir.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where TimeGenerated > ago(6h)
| where Category == "PostgreSQLLogs"
| where errorLevel_s contains "error"
Koneksi tidak sah
Cari upaya koneksi yang tidak sah (ditolak).
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL"
| where Category == "PostgreSQLLogs"
| where Message contains "password authentication failed" or Message contains "no pg_hba.conf entry for host"
Kebuntuan
Cari peristiwa kebuntuan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL"
| where Category == "PostgreSQLLogs"
| where Message contains "deadlock detected"
Mengunci ketidaksesuaian
Cari ketidakcocokan kunci. Ini membutuhkan log_lock_waits=ON dan tergantung pada pengaturan deadlock_timeout.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL"
| where Message contains "still waiting for ShareLock on transaction"
Log audit
Mendapatkan semua log audit. Ini mengharuskan log audit diaktifkan [https://docs.microsoft.com/azure/postgresql/concepts-audit].
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL"
| where Category == "PostgreSQLLogs"
| where Message contains "AUDIT:"
Log audit untuk tabel dan jenis peristiwa
Cari log audit untuk DDL jenis tabel dan peristiwa tertentu. Jenis peristiwa lainnya adalah READ, WRITE, FUNCTION, MISC. Ini membutuhkan log audit yang diaktifkan. [https://docs.microsoft.com/azure/postgresql/concepts-audit].
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL"
| where Category == "PostgreSQLLogs"
| where Message contains "AUDIT:"
| where Message contains "table name" and Message contains "DDL"
Kueri dengan waktu eksekusi melebihi ambang batas
Identifikasi kueri yang memakan waktu lebih dari 10 detik. Penyimpanan kueri menormalkan kueri aktual untuk mengagregasi kueri serupa. Secara default, entri dikumpulkan setiap 15 menit. Kueri menggunakan waktu eksekusi rata-rata setiap 15 menit dan statistik kueri lainnya seperti maks, min dapat digunakan sebagaimana mestinya.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| project TimeGenerated, LogicalServerName_s, event_type_s , mean_time_s , db_id_s , start_time_s , query_id_s, _ResourceId
| where todouble(mean_time_s) > 0 // You may change the time threshold
Kueri paling lambat
Identifikasi 5 kueri paling lambat teratas.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s ,query_id_s
| top 5 by avg_mean_time_s desc
Tabel statistik kueri
Buat tabel statistik ringkasan menurut kueri.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| summarize sum(toint(calls_s)), min(todouble(min_time_s)),max(todouble(max_time_s)),avg(todouble(mean_time_s)),percentile(todouble(mean_time_s),95) by db_id_s ,query_id_s
| order by percentile_mean_time_s_95 desc nulls last
Tren jumlah eksekusi
Tren eksekusi menurut kueri diagregasi dengan interval 15 menit.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| summarize sum(toint(calls_s)) by tostring(query_id_s), bin(TimeGenerated, 15m), ResourceId
| render timechart
Kejadian tunggu teratas
Identifikasi 5 peristiwa tunggu teratas berdasarkan kueri.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreWaitStatistics"
| where user_id_s != "10" //exclude azure system user
| where query_id_s != 0
| summarize sum(toint(calls_s)) by event_s, query_id_s, bin(TimeGenerated, 15m)
| top 5 by sum_calls_s desc nulls last
Tren peristiwa tunggu
Menampilkan tren peristiwa tunggu dari waktu ke waktu.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreWaitStatistics"
| where user_id_s != "10" //exclude azure system user
| extend query_id_s = tostring(query_id_s)
| summarize sum(toint(calls_s)) by event_s, query_id_s, bin(TimeGenerated, 15m), ResourceId // You may change the time threshold
| render timechart
Kueri untuk microsoft.devices
Kesalahan konektivitas
Mengidentifikasi kesalahan koneksi perangkat.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where Category == "Connections" and Level == "Error"
Perangkat dengan sebagian besar kesalahan pembatasan
Identifikasi perangkat yang membuat permintaan terbanyak yang mengakibatkan kesalahan pembatasan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where ResultType == "429001"
| extend DeviceId = tostring(parse_json(properties_s).deviceId)
| summarize count() by DeviceId, Category , _ResourceId
| order by count_ desc
Titik akhir buntu
Identifikasi titik akhir yang mati atau tidak sehat dengan berapa kali masalah dilaporkan, serta alasannya.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where Category == "Routes" and OperationName in ("endpointDead", "endpointUnhealthy")
| extend parsed_json = parse_json(properties_s)
| extend Endpoint = tostring(parsed_json.endpointName), Reason =tostring(parsed_json.details)
| summarize count() by Endpoint, OperationName, Reason, _ResourceId
| order by count_ desc
Ringkasan kesalahan
Jumlah kesalahan di semua operasi menurut jenis.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where Level == "Error"
| summarize count() by ResultType, ResultDescription, Category, _ResourceId
Perangkat yang baru-baru ini tersambung
Daftar perangkat yang IoT Hub lihat tersambung dalam periode waktu yang ditentukan.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where Category == "Connections" and OperationName == "deviceConnect"
| extend DeviceId = tostring(parse_json(properties_s).deviceId)
| summarize max(TimeGenerated) by DeviceId, _ResourceId
Versi SDK perangkat
Daftar perangkat dan versi SDK-nya.
// this query works on device connection or when your device uses device to cloud twin operations
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where Category == "Connections" or Category == "D2CTwinOperations"
| extend parsed_json = parse_json(properties_s)
| extend SDKVersion = tostring(parsed_json.sdkVersion) , DeviceId = tostring(parsed_json.deviceId)
| distinct DeviceId, SDKVersion, TimeGenerated, _ResourceId
Kueri untuk microsoft.documentdb
RU/dtk yang dikonsumsi dalam 24 jam terakhir
Identifikasi RU yang digunakan pada database dan koleksi Cosmos.
// To create an alert for this query, click '+ New alert rule'
//You can compare the RU/s consumption with your provisioned RU/s to determine if you should scale up or down RU/s based on your workload.
AzureDiagnostics
| where TimeGenerated >= ago(24hr)
| where Category == "DataPlaneRequests"
//| where collectionName_s == "CollectionToAnalyze" //Replace to target the query to a collection
| summarize ConsumedRUsPerMinute = sum(todouble(requestCharge_s)) by collectionName_s, _ResourceId, bin(TimeGenerated, 1m)
| project TimeGenerated , ConsumedRUsPerMinute , collectionName_s, _ResourceId
| render timechart
Koleksi dengan pembatasan (429) dalam 24 jam terakhir
Identifikasi koleksi dan operasi yang telah menerima 429 (pembatasan), yang terjadi ketika throughput yang dikonsumsi (RU/dtk) melebihi throughput yang disediakan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where TimeGenerated >= ago(24hr)
| where Category == "DataPlaneRequests"
| where statusCode_s == 429
| summarize numberOfThrottles = count() by databaseName_s, collectionName_s, requestResourceType_s, _ResourceId, bin(TimeGenerated, 1hr)
| order by numberOfThrottles
Operasi teratas dengan Unit Permintaan (RU) yang digunakan dalam 24 jam terakhir
Identifikasi operasi teratas pada sumber daya Cosmos berdasarkan hitungan dan ru yang dikonsumsi per operasi.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where TimeGenerated >= ago(24h)
| where Category == "DataPlaneRequests"
| summarize numberOfOperations = count(), totalConsumedRU = sum(todouble(requestCharge_s)) by databaseName_s, collectionName_s, OperationName, requestResourceType_s, requestResourceId_s, _ResourceId
| extend averageRUPerOperation = totalConsumedRU / numberOfOperations
| order by numberOfOperations
Kunci partisi logis teratas menurut penyimpanan
Identifikasi nilai kunci partisi logis terbesar. PartitionKeyStatistics akan memancarkan data untuk kunci partisi logis teratas berdasarkan penyimpanan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where Category == "PartitionKeyStatistics"
//| where collectionName_s == "CollectionToAnalyze" //Replace to target the query to a collection
| summarize arg_max(TimeGenerated, *) by databaseName_s, collectionName_s, partitionKey_s, _ResourceId //Get the latest storage size
| extend utilizationOf20GBLogicalPartition = sizeKb_d / 20000000 //20GB
| project TimeGenerated, databaseName_s , collectionName_s , partitionKey_s, sizeKb_d, utilizationOf20GBLogicalPartition, _ResourceId
Kueri untuk microsoft.eventhub
[Klasik] Durasi kegagalan Pengambilan
Meringkas duarasi kegagalan pada Capture.
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.EVENTHUB\"
| where Category == \"ArchiveLogs\"
| summarize count() by \"failures\", \"durationInSeconds\", _ResourceId
[Klasik] Permintaan bergabung untuk klien
Meringkas status permintaan bergabung untuk klien.
AzureDiagnostics // Need to turn on the Capture for this
| where ResourceProvider == \"MICROSOFT.EVENTHUB\"
| project \"OperationName\"
[Klasik] Akses ke keyvault - kunci tidak ditemukan
Meringkas akses ke keyvault ketika kunci tidak ditemukan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.EVENTHUB\"
| where Category == \"Error\" and OperationName == \"wrapkey\"
| project Message, _ResourceId
[Klasik] Operasi yang dilakukan dengan keyvault
Meringkas operasi yang dilakukan dengan keyvault untuk menonaktifkan atau memulihkan kunci.
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.EVENTHUB\"
| where Category == \"info\" and OperationName == \"disable\" or OperationName == \"restore\"
| project Message
Kesalahan dalam 7 hari terakhir
Ini mencantumkan semua kesalahan selama 7 hari terakhir.
AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceProvider =="MICROSOFT.EVENTHUB"
| where Category == "OperationalLogs"
| summarize count() by "EventName", _ResourceId
Durasi kegagalan Pengambilan
Meringkas duarasi kegagalan pada Capture.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.EVENTHUB"
| where Category == "ArchiveLogs"
| summarize count() by "failures", "durationInSeconds", _ResourceId
Permintaan bergabung untuk klien
Meringkas status permintaan bergabung untuk klien.
AzureDiagnostics // Need to turn on the Capture for this
| where ResourceProvider == "MICROSOFT.EVENTHUB"
| project "OperationName"
Akses ke keyvault - kunci tidak ditemukan
Meringkas akses ke keyvault ketika kunci tidak ditemukan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.EVENTHUB"
| where Category == "Error" and OperationName == "wrapkey"
| project Message, ResourceId
Operasi yang dilakukan dengan keyvault
Meringkas operasi yang dilakukan dengan keyvault untuk menonaktifkan atau memulihkan kunci.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.EVENTHUB"
| where Category == "info" and OperationName == "disable" or OperationName == "restore"
| project Message
Kueri untuk microsoft.keyvault
[Klasik] Seberapa aktif KeyVault ini?
[Klasik] Bagan garis memperlihatkan tren volume permintaan KeyVault, per operasi dari waktu ke waktu.
// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services.
// Filter on ResourceProvider for logs specific to a service.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by bin(TimeGenerated, 1h), OperationName // Aggregate by hour
| render timechart
[Klasik] Siapa yang memanggil KeyVault ini?
[Klasik] Daftar penelepon yang diidentifikasi oleh alamat IP mereka dengan jumlah permintaan mereka.
// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services.
// Filter on ResourceProvider for logs specific to a service.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by CallerIPAddress
[Klasik] Apakah ada permintaan lambat?
[Klasik] Daftar permintaan KeyVault yang memakan waktu lebih dari 1 detik.
// To create an alert for this query, click '+ New alert rule'
let threshold=1000; // let operator defines a constant that can be further used in the query
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| where DurationMs > threshold
| summarize count() by OperationName, _ResourceId
[Klasik] Seberapa cepat KeyVault ini melayani permintaan?
[Klasik] Bagan garis memperlihatkan tren durasi permintaan dari waktu ke waktu menggunakan agregasi yang berbeda.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize avg(DurationMs) by requestUri_s, bin(TimeGenerated, 1h) // requestUri_s contains the URI of the request
| render timechart
[Klasik] Apakah ada kegagalan?
[Klasik] Jumlah permintaan KeyVault yang gagal berdasarkan kode status.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| where httpStatusCode_d >= 300 and not(OperationName == "Authentication" and httpStatusCode_d == 401)
| summarize count() by requestUri_s, ResultSignature, _ResourceId
// ResultSignature contains HTTP status, e.g. "OK" or "Forbidden"
// httpStatusCode_d contains HTTP status code returned by the request (e.g. 200, 300 or 401)
// requestUri_s contains the URI of the request
[Klasik] Perubahan apa yang terjadi bulan lalu?
[Klasik] Lists semua permintaan pembaruan dan patch dari 30 hari terakhir.
// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services.
// Filter on ResourceProvider for logs specific to a service.
AzureDiagnostics
| where TimeGenerated > ago(30d) // Time range specified in the query. Overrides time picker in portal.
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| where OperationName == "VaultPut" or OperationName == "VaultPatch"
| sort by TimeGenerated desc
[Klasik] Mencantumkan semua kesalahan deserialisasi input
[Klasik] Menampilkan kesalahan yang disebabkan karena peristiwa cacat yang tidak dapat dideserialisasi oleh pekerjaan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT" and parse_json(properties_s).DataErrorType in ("InputDeserializerError.InvalidData", "InputDeserializerError.TypeConversionError", "InputDeserializerError.MissingColumns", "InputDeserializerError.InvalidHeader", "InputDeserializerError.InvalidCompressionType")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
[Klasik] Temukan Di AzureDiagnostics
[Klasik] Temukan di AzureDiagnostics untuk mencari nilai tertentu dalam tabel AzureDiagnostics./nNote bahwa kueri ini memerlukan pembaruan <parameter SeachValue> untuk menghasilkan hasil
// This query requires a parameter to run. Enter value in SearchValue to find in table.
let SearchValue = "<SearchValue>";//Please update term you would like to find in the table.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where * contains tostring(SearchValue)
| take 1000
Kueri untuk microsoft.logic
Total eksekusi yang dapat ditagih
Total eksekusi yang dapat ditagih berdasarkan nama operasi.
// Total billable executions
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where Category == "WorkflowRuntime"
| where OperationName has "workflowTriggerStarted" or OperationName has "workflowActionStarted"
| summarize dcount(resource_runId_s) by OperationName, resource_workflowName_s
Distribusi eksekusi Aplikasi Logika menurut alur kerja
Bagan waktu per jam untuk eksekusi Aplikasi Logika, distribusi berdasarkan alur kerja.
// Hourly Time chart for Logic App execution distribution by workflows
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where Category == "WorkflowRuntime"
| where OperationName has "workflowRunStarted"
| summarize dcount(resource_runId_s) by bin(TimeGenerated, 1h), resource_workflowName_s
| render timechart
Distribusi eksekusi Aplikasi Logika berdasarkan status
Menyelesaikan eksekusi berdasarkan alur kerja, status, dan kesalahan.
//logic app execution status summary
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where OperationName has "workflowRunCompleted"
| summarize dcount(resource_runId_s) by resource_workflowName_s, status_s, error_code_s
| project LogicAppName = resource_workflowName_s , NumberOfExecutions = dcount_resource_runId_s , RunStatus = status_s , Error = error_code_s
Jumlah kegagalan yang dipicu
Tampilkan kegagalan Tindakan/Pemicu untuk semua eksekusi Aplikasi Logika menurut Nama sumber daya.
// To create an alert for this query, click '+ New alert rule'
//Action/Trigger failures for all Logic App executions
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where Category == "WorkflowRuntime"
| where status_s == "Failed"
| where OperationName has "workflowActionCompleted" or OperationName has "workflowTriggerCompleted"
| extend ResourceName = coalesce(resource_actionName_s, resource_triggerName_s)
| extend ResourceCategory = substring(OperationName, 34, strlen(OperationName) - 43) | summarize dcount(resource_runId_s) by code_s, ResourceName, resource_workflowName_s, ResourceCategory, _ResourceId
| project ResourceCategory, ResourceName , FailureCount = dcount_resource_runId_s , ErrorCode = code_s, LogicAppName = resource_workflowName_s, _ResourceId
| order by FailureCount desc
Kueri untuk microsoft.network
Permintaan per jam
Jumlah permintaan masuk pada Application Gateway.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess"
| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId
| render timechart
Permintaan non-SSL per jam
Jumlah permintaan Non-SSL pada Application Gateway.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and sslEnabled_s == "off"
| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId
| render timechart
Permintaan yang gagal per jam
Jumlah permintaan yang Application Gateway tanggapi dengan kesalahan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399
| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId
| render timechart
Kesalahan oleh agen pengguna
Jumlah kesalahan menurut agen pengguna.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399
| summarize AggregatedValue = count() by userAgent_s, _ResourceId
| sort by AggregatedValue desc
Kesalahan oleh URI
Jumlah kesalahan berdasarkan URI.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399
| summarize AggregatedValue = count() by requestUri_s, _ResourceId
| sort by AggregatedValue desc
10 IP Klien Teratas
Jumlah permintaan per IP klien.
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess"
| summarize AggregatedValue = count() by clientIP_s
| top 10 by AggregatedValue
Versi HTTP teratas
Jumlah permintaan per versi HTTP.
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess"
| summarize AggregatedValue = count() by httpVersion_s
| top 10 by AggregatedValue
Peristiwa keamanan jaringan
Temukan Pelaporan peristiwa keamanan jaringan yang memblokir lalu lintas masuk.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK"
| where Category == "NetworkSecurityGroupEvent"
| where direction_s == "In" and type_s == "block"
Permintaan per jam
Bagan garis render memperlihatkan total permintaan per jam untuk setiap sumber daya FrontDoor.
// Summarize number of requests per hour for each FrontDoor resource
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Resource, ResourceId
| render timechart
Permintaan backend yang diteruskan dengan aturan perutean
Hitung jumlah permintaan untuk setiap aturan perutean dan host backend per menit.
// Summarize number of requests per minute for each routing rule and backend host
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| summarize RequestCount = count() by bin(TimeGenerated, 1m), Resource, RoutingRuleName = routingRuleName_s, BackendHostname = backendHostname_s, ResourceId
Meminta kesalahan menurut host dan jalur
Hitung jumlah permintaan dengan respons kesalahan menurut host dan jalur.
// Summarize number of requests by host, path, and status codes >= 400
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| where toint(httpStatusCode_s) >= 400
| extend ParsedUrl = parseurl(requestUri_s)
| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), StatusCode = httpStatusCode_s, ResourceId
| order by RequestCount desc
Meminta kesalahan oleh agen pengguna
Hitung jumlah permintaan dengan respons kesalahan oleh agen pengguna.
// Summarize number of requests per user agent and status codes >= 400
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| where toint(httpStatusCode_s) >= 400
| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource, ResourceId
| order by RequestCount desc
10 IP klien dan versi http teratas
Tampilkan 10 IP klien dan versi http teratas.
// Summarize top 10 client ips and http versions
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource
| top 10 by RequestCount
| order by RequestCount desc
Jumlah permintaan yang diblokir firewall per jam
Hitung jumlah permintaan yang diblokir firewall per jam.
// Summarize number of firewall blocked requests per hour by policy
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Policy = policy_s, PolicyMode = policyMode_s, Resource, ResourceId
| order by RequestCount desc
20 klien terblokir teratas berdasarkan IP dan aturan
Tampilkan 20 klien teratas yang diblokir berdasarkan IP dan nama aturan.
// Summarize top 20 blocked clients by IP and rule
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize RequestCount = count() by ClientIP = clientIP_s, UserAgent = userAgent_s, RuleName = ruleName_s ,Resource
| top 20 by RequestCount
| order by RequestCount desc
Jumlah permintaan firewall menurut host, jalur, aturan, dan tindakan
Hitung permintaan yang diproses firewall berdasarkan host, jalur, aturan, dan tindakan yang diambil.
// Summarize request count by host, path, rule, and action
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| extend ParsedUrl = parseurl(requestUri_s)
| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), RuleName = ruleName_s, Action = action_s, ResourceId
| order by RequestCount desc
Data log aturan aplikasi
Mengurai data log aturan aplikasi.
AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
//this first parse statement is valid for all entries as they all start with this format
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort:int *
//Parse action as this is the same for all log lines
| parse kind=regex flags=U msg_s with * ". Action\\: " Action "\\."
// case1: Action: A. Reason: R.
| parse kind=regex flags=U msg_s with "\\. Reason\\: " Reason "\\."
//case 2a: to FQDN:PORT Url: U. Action: A. Policy: P. Rule Collection Group: RCG. Rule Collection: RC. Rule: R.
| parse msg_s with * "to " FQDN ":" TargetPort:int * "." *
//Parse policy if present
| parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
| parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule
//case 2.b: Web Category: WC.
| parse Rule with * ". Web Category: " WebCategory
//case 3: No rule matched. Proceeding with default action"
| extend DefaultRule = iff(msg_s contains "No rule matched. Proceeding with default action", true, false)
| extend
SourcePort = tostring(SourcePort),
TargetPort = tostring(TargetPort)
| extend
Action = case(Action == "","N/A", case(DefaultRule, "Deny" ,Action)),
FQDN = case(FQDN == "", "N/A", FQDN),
TargetPort = case(TargetPort == "", "N/A", tostring(TargetPort)),
Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,case(Policy == "", "N/A", Policy)),
RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup)),
RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], case(RuleCollection == "", "N/A", RuleCollection)),
WebCategory = case(WebCategory == "", "N/A", WebCategory),
Rule = case(Rule == "" , "N/A", case(WebCategory == "N/A", Rule, split(Rule, '.')[0])),
Reason = case(Reason == "", case(DefaultRule, "No rule matched - default action", "N/A"), Reason )
| project TimeGenerated, msg_s, Protocol, SourceIP, SourcePort, FQDN, TargetPort, Action, Policy, RuleCollectionGroup, RuleCollection, Rule, Reason ,WebCategory
Data log aturan jaringan
Mengurai data log aturan jaringan.
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| where OperationName == "AzureFirewallNatRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
//case 1: for records that look like this:
//PROTO request from IP:PORT to IP:PORT.
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
//case 1a: for regular network rules
| parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
//case 1b: for NAT rules
//TCP request from IP:PORT to IP:PORT was DNAT'ed to IP:PORT
| parse msg_s with * " was " Action1b:string " to " TranslatedDestination:string ":" TranslatedPort:int *
//Parse rule data if present
| parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
| parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule
//case 2: for ICMP records
//ICMP request from 10.0.2.4 to 10.0.3.4. Action: Allow
| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2
| extend
SourcePort = tostring(SourcePortInt),
TargetPort = tostring(TargetPortInt)
| extend
Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), split(Action1a,".")[0]),
Protocol = case(Protocol == "", Protocol2, Protocol),
SourceIP = case(SourceIP == "", SourceIP2, SourceIP),
TargetIP = case(TargetIP == "", TargetIP2, TargetIP),
//ICMP records don't have port information
SourcePort = case(SourcePort == "", "N/A", SourcePort),
TargetPort = case(TargetPort == "", "N/A", TargetPort),
//Regular network rules don't have a DNAT destination
TranslatedDestination = case(TranslatedDestination == "", "N/A", TranslatedDestination),
TranslatedPort = case(isnull(TranslatedPort), "N/A", tostring(TranslatedPort)),
//Rule information
Policy = case(Policy == "", "N/A", Policy),
RuleCollectionGroup = case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup ),
RuleCollection = case(RuleCollection == "", "N/A", RuleCollection ),
Rule = case(Rule == "", "N/A", Rule)
| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, TranslatedDestination, TranslatedPort, Policy, RuleCollectionGroup, RuleCollection, Rule
Data log aturan Inteligensi Ancaman
Mengurai data log aturan Inteligensi Ancaman.
AzureDiagnostics
| where OperationName == "AzureFirewallThreatIntelLog"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
| parse msg_s with * ". Action: " Action "." Message
| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2
| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)
| extend Protocol = case(Protocol == "", Protocol2, Protocol),SourceIP = case(SourceIP == "", SourceIP2, SourceIP),TargetIP = case(TargetIP == "", TargetIP2, TargetIP),SourcePort = case(SourcePort == "", "N/A", SourcePort),TargetPort = case(TargetPort == "", "N/A", TargetPort)
| sort by TimeGenerated desc
| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action,Message
Azure Firewall data log
Mulai dari kueri ini jika Anda ingin mengurai log dari aturan jaringan, aturan aplikasi, aturan NAT, IDS, inteligensi ancaman, dan lainnya untuk memahami mengapa lalu lintas tertentu diizinkan atau ditolak. Kueri ini akan memperlihatkan 100 rekaman log terakhir tetapi dengan menambahkan pernyataan filter sederhana di akhir kueri, hasilnya dapat diubah.
// Parses the azure firewall rule log data.
// Includes network rules, application rules, threat intelligence, ips/ids, ...
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
//optionally apply filters to only look at a certain type of log data
//| where OperationName == "AzureFirewallNetworkRuleLog"
//| where OperationName == "AzureFirewallNatRuleLog"
//| where OperationName == "AzureFirewallApplicationRuleLog"
//| where OperationName == "AzureFirewallIDSLog"
//| where OperationName == "AzureFirewallThreatIntelLog"
| extend msg_original = msg_s
// normalize data so it's eassier to parse later
| extend msg_s = replace(@'. Action: Deny. Reason: SNI TLS extension was missing.', @' to no_data:no_data. Action: Deny. Rule Collection: default behavior. Rule: SNI TLS extension missing', msg_s)
| extend msg_s = replace(@'No rule matched. Proceeding with default action', @'Rule Collection: default behavior. Rule: no rule matched', msg_s)
// extract web category, then remove it from further parsing
| parse msg_s with * " Web Category: " WebCategory
| extend msg_s = replace(@'(. Web Category:).*','', msg_s)
// extract RuleCollection and Rule information, then remove it from further parsing
| parse msg_s with * ". Rule Collection: " RuleCollection ". Rule: " Rule
| extend msg_s = replace(@'(. Rule Collection:).*','', msg_s)
// extract Rule Collection Group information, then remove it from further parsing
| parse msg_s with * ". Rule Collection Group: " RuleCollectionGroup
| extend msg_s = replace(@'(. Rule Collection Group:).*','', msg_s)
// extract Policy information, then remove it from further parsing
| parse msg_s with * ". Policy: " Policy
| extend msg_s = replace(@'(. Policy:).*','', msg_s)
// extract IDS fields, for now it's always add the end, then remove it from further parsing
| parse msg_s with * ". Signature: " IDSSignatureIDInt ". IDS: " IDSSignatureDescription ". Priority: " IDSPriorityInt ". Classification: " IDSClassification
| extend msg_s = replace(@'(. Signature:).*','', msg_s)
// extra NAT info, then remove it from further parsing
| parse msg_s with * " was DNAT'ed to " NatDestination
| extend msg_s = replace(@"( was DNAT'ed to ).*",". Action: DNAT", msg_s)
// extract Threat Intellingence info, then remove it from further parsing
| parse msg_s with * ". ThreatIntel: " ThreatIntel
| extend msg_s = replace(@'(. ThreatIntel:).*','', msg_s)
// extract URL, then remove it from further parsing
| extend URL = extract(@"(Url: )(.*)(\. Action)",2,msg_s)
| extend msg_s=replace(@"(Url: .*)(Action)",@"\2",msg_s)
// parse remaining "simple" fields
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| extend
SourceIP = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",0),""),SourceIP),
SourcePort = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",1),""),""),
Target = iif(Target contains ":",strcat_array(split(Target,":",0),""),Target),
TargetPort = iif(SourceIP contains ":",strcat_array(split(Target,":",1),""),""),
Action = iif(Action contains ".",strcat_array(split(Action,".",0),""),Action),
Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,Policy),
RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], RuleCollectionGroup),
RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], RuleCollection),
IDSSignatureID = tostring(IDSSignatureIDInt),
IDSPriority = tostring(IDSPriorityInt)
| project msg_original,TimeGenerated,Protocol,SourceIP,SourcePort,Target,TargetPort,URL,Action, NatDestination, OperationName,ThreatIntel,IDSSignatureID,IDSSignatureDescription,IDSPriority,IDSClassification,Policy,RuleCollectionGroup,RuleCollection,Rule,WebCategory
| order by TimeGenerated
| limit 100
Azure Firewall data log proksi DNS
Mulai dari kueri ini jika Anda ingin memahami data log proksi DNS Firewall. Kueri ini akan memperlihatkan 100 rekaman log terakhir tetapi dengan menambahkan pernyataan filter sederhana di akhir kueri, hasilnya dapat diubah.
// DNS proxy log data
// Parses the DNS proxy log data.
AzureDiagnostics
| where Category == "AzureFirewallDnsProxy"
| parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
| extend
ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
SourcePort = tostring(SourcePortInt),
QueryID = tostring(QueryID)
| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
| order by TimeGenerated
| limit 100
Tabel rute BGP
Tabel rute BPG dipelajari selama 12 jam terakhir.
AzureDiagnostics
| where TimeGenerated > ago(12h)
| where ResourceType == "EXPRESSROUTECIRCUITS"
| project TimeGenerated , ResourceType , network_s , path_s , OperationName
Pesan informasi BGP
Pesan informasi BGP berdasarkan tingkat, jenis sumber daya, dan jaringan.
AzureDiagnostics
| where Level == "Informational"
| project TimeGenerated , ResourceId, Level, ResourceType , network_s , path_s
Titik akhir dengan status pemantauan tidak berfungsi
Temukan alasan mengapa status pemantauan titik akhir Azure Traffic Manager tidak berfungsi.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "TRAFFICMANAGERPROFILES" and Category == "ProbeHealthStatusEvents"
| where Status_s == "Down"
| project TimeGenerated, EndpointName_s, Status_s, ResultDescription, SubscriptionId , _ResourceId
Koneksi P2S berhasil
Koneksi P2S yang berhasil dalam 12 jam terakhir.
AzureDiagnostics
| where TimeGenerated > ago(12h)
| where Category == "P2SDiagnosticLog" and Message has "Connection successful"
| project TimeGenerated, Resource ,Message
Koneksi P2S gagal
Koneksi P2S yang gagal dalam 12 jam terakhir.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where TimeGenerated > ago(12h)
| where Category == "P2SDiagnosticLog" and Message has "Connection failed"
| project TimeGenerated, Resource ,Message
Perubahan konfigurasi gateway
Perubahan konfigurasi gateway yang berhasil dilakukan oleh administrator selama 24 jam terakhir.
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "GatewayDiagnosticLog" and operationStatus_s == "Success" and configuration_ConnectionTrafficType_s == "Internet"
| project TimeGenerated, Resource, OperationName, Message, operationStatus_s
Peristiwa connet/pemutusan sambungan terowongan S2S
Peristiwa connet/pemutusan sambungan terowongan S2S selama 24 jam terakhir.
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "TunnelDiagnosticLog" and (status_s == "Connected" or status_s == "Disconnected")
| project TimeGenerated, Resource , status_s, remoteIP_s, stateChangeReason_s
Pembaruan rute BGP
Pembaruan rute BGP selama 24 jam terakhir.
AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "RouteDiagnosticLog" and OperationName == "BgpRouteUpdate"
Perlihatkan log dari tabel AzureDiagnostics
Lists log terbaru dalam tabel AzureDiagnostics, diurutkan menurut waktu (terbaru terlebih dahulu).
AzureDiagnostics
| top 10 by TimeGenerated
Kueri untuk microsoft.recoveryservices
Pekerjaan pencadangan yang gagal
Temukan log yang melaporkan pekerjaan pencadangan yang gagal dari hari terakhir.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.RECOVERYSERVICES" and Category == "AzureBackupReport"
| where OperationName == "Job" and JobOperation_s == "Backup" and JobStatus_s == "Failed"
| project TimeGenerated, JobUniqueId_g, JobStartDateTime_s, JobOperation_s, JobOperationSubType_s, JobStatus_s , JobFailureCode_s, JobDurationInSecs_s , AdHocOrScheduledJob_s
Kueri untuk microsoft.servicebus
[Klasik] Operasi Manajemen Daftar
Ini mencantumkan semua panggilan manajemen.
AzureDiagnostics
| where ResourceProvider ==\"MICROSOFT.SERVICEBUS\"
| where Category == \"OperationalLogs\"
| summarize count() by EventName_s, _ResourceId
[Klasik] Ringkasan Kesalahan
Meringkas semua kesalahan yang ditemui.
AzureDiagnostics
| where ResourceProvider ==\"MICROSOFT.SERVICEBUS\"
| where Category == \"Error\"
| summarize count() by EventName_s, _ResourceId
[Klasik] Upaya akses keyvault - kunci tidak ditemukan
Meringkas akses ke keyvault ketika kunci tidak ditemukan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.SERVICEBUS\"
| where Category == \"Error\" and OperationName == \"wrapkey\"
| project Message, _ResourceId
[Klasik] Entitas Yang Dihapus Otomatis
Ringkasan semua entitas yang telah dihapus secara otomatis.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.SERVICEBUS\"
| where Category == \"OperationalLogs\"
| where EventName_s startswith \"AutoDelete\"
| summarize count() by EventName_s, _ResourceId
[Klasik] Keyvault dilakukan operasional
Meringkas operasi yang dilakukan dengan keyvault untuk menonaktifkan atau memulihkan kunci.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.SERVICEBUS\"
| where (Category == \"info\" and (OperationName == \"disable\" or OperationName == \"restore\"))
| project Message, _ResourceId
Operasi manajemen dalam 7 hari terakhir
Ini mencantumkan semua panggilan manajemen selama 7 hari terakhir.
AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceProvider =="MICROSOFT.SERVICEBUS"
| where Category == "OperationalLogs"
| summarize count() by EventName_s, _ResourceId
Ringkasan kesalahan
Meringkas semua kesalahan yang terlihat dalam 7 hari terakhir.
AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceProvider =="MICROSOFT.SERVICEBUS"
| where Category == "Error"
| summarize count() by EventName_s, _ResourceId
Upaya akses keyvault - kunci tidak ditemukan
Meringkas akses ke keyvault ketika kunci tidak ditemukan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SERVICEBUS"
| where Category == "Error" and OperationName == "wrapkey"
| project Message, _ResourceId
Entitas Yang Dihapus Otomatis
Ringkasan semua entitas yang telah dihapus secara otomatis.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SERVICEBUS"
| where Category == "OperationalLogs"
| where EventName_s startswith "AutoDelete"
| summarize count() by EventName_s, _ResourceId
Keyvault dilakukan operasional
Meringkas operasi yang dilakukan dengan keyvault untuk menonaktifkan atau memulihkan kunci.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SERVICEBUS"
| where (Category == "info" and (OperationName == "disable" or OperationName == "restore"))
| project Message, _ResourceId
Kueri untuk microsoft.sql
Penyimpanan pada instans terkelola di atas 90%
Tampilkan semua instans terkelola dengan pemanfaatan penyimpanan di atas 90%.
// To create an alert for this query, click '+ New alert rule'
let storage_percentage_threshold = 90;
AzureDiagnostics
| where Category =="ResourceUsageStats"
| summarize (TimeGenerated, calculated_storage_percentage) = arg_max(TimeGenerated, todouble(storage_space_used_mb_s) *100 / todouble (reserved_storage_mb_s))
by _ResourceId
| where calculated_storage_percentage > storage_percentage_threshold
Pemanfaatan CPU treshold di atas 95% pada instans terkelola
Tampilkan semua instans terkelola dengan treshold CPU lebih dari 95% treshold.
// To create an alert for this query, click '+ New alert rule'
let cpu_percentage_threshold = 95;
let time_threshold = ago(1h);
AzureDiagnostics
| where Category == "ResourceUsageStats" and TimeGenerated > time_threshold
| summarize avg_cpu = max(todouble(avg_cpu_percent_s)) by _ResourceId
| where avg_cpu > cpu_percentage_threshold
Menampilkan semua wawasan cerdas aktif
Tampilkan semua masalah performa aktif yang terdeteksi oleh wawasan cerdas. Harap dicatat bahwa log SQLInsights perlu diaktifkan untuk setiap database yang dipantau.
AzureDiagnostics
| where Category == "SQLInsights" and status_s == "Active"
| distinct rootCauseAnalysis_s
Statistik tunggu
Statistik tunggu selama satu jam terakhir, oleh Server Logis dan Database.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL"
| where TimeGenerated >= ago(60min)
| parse _ResourceId with * "/microsoft.sql/servers/" LogicalServerName "/databases/" DatabaseName
| summarize Total_count_60mins = sum(delta_waiting_tasks_count_d) by LogicalServerName, DatabaseName, wait_type_s
Kueri untuk microsoft.streamanalytics
Mencantumkan semua kesalahan data input
Memperlihatkan semua kesalahan yang terjadi saat memproses data dari input.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type == "DataError"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Mencantumkan semua kesalahan deserialisasi input
Menampilkan kesalahan yang disebabkan karena peristiwa cacat yang tidak dapat dideserialisasi oleh pekerjaan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType in ("InputDeserializerError.InvalidData", "InputDeserializerError.TypeConversionError", "InputDeserializerError.MissingColumns", "InputDeserializerError.InvalidHeader", "InputDeserializerError.InvalidCompressionType")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Mencantumkan semua kesalahan InvalidInputTimeStamp
Memperlihatkan kesalahan yang disebabkan karena peristiwa di mana nilai ekspresi TIMESTAMP BY tidak dapat dikonversi ke tanggalwaktu.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "InvalidInputTimeStamp"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Mencantumkan semua kesalahan InvalidInputTimeStampKey
Menampilkan kesalahan yang disebabkan karena peristiwa di mana nilai TIMESTAMP BY OVER timestampColumn adalah NULL.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "InvalidInputTimeStampKey"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Peristiwa yang datang terlambat
Menunjukkan kesalahan karena peristiwa di mana perbedaan antara waktu aplikasi dan waktu kedatangan lebih besar dari kebijakan kedatangan terlambat.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "LateInputEvent"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Peristiwa yang tiba lebih awal
Menunjukkan kesalahan karena peristiwa di mana perbedaan antara Waktu aplikasi dan Waktu kedatangan lebih besar dari 5 menit.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "EarlyInputEvent"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Peristiwa yang tiba tidak berurutan
Menampilkan kesalahan karena peristiwa yang tiba tidak berurutan sesuai dengan kebijakan yang tidak berurutan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutOfOrderEvent"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Semua kesalahan data output
Memperlihatkan semua kesalahan yang terjadi saat menulis hasil kueri ke output dalam pekerjaan Anda.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType in ("OutputDataConversionError.RequiredColumnMissing", "OutputDataConversionError.ColumnNameInvalid", "OutputDataConversionError.TypeConversionError", "OutputDataConversionError.RecordExceededSizeLimit", "OutputDataConversionError.DuplicateKey")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Mencantumkan semua kesalahan RequiredColumnMissing
Memperlihatkan semua kesalahan di mana rekaman output yang dihasilkan oleh pekerjaan Anda memiliki kolom yang hilang.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.RequiredColumnMissing"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Mencantumkan semua kesalahan ColumnNameInvalid
Memperlihatkan kesalahan di mana catatan output yang dihasilkan oleh pekerjaan Anda memiliki nama kolom yang tidak dipetakan ke kolom di output Anda.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.ColumnNameInvalid"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Mencantumkan semua kesalahan TypeConversionError
Menampilkan kesalahan di mana catatan output yang dihasilkan oleh pekerjaan Anda memiliki kolom tidak dapat dikonversi ke jenis yang valid dalam output.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.TypeConversionError"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Mencantumkan semua kesalahan RecordExceededSizeLimit
Menampilkan kesalahan di mana ukuran rekaman output yang dihasilkan oleh pekerjaan Anda lebih besar dari ukuran output yang didukung.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.RecordExceededSizeLimit"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Mencantumkan semua kesalahan DuplicateKey
Memperlihatkan kesalahan di mana catatan output yang dihasilkan oleh pekerjaan berisi kolom dengan nama yang sama dengan kolom Sistem.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.DuplicateKey"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Semua log dengan tingkat "Kesalahan"
Menampilkan semua log yang kemungkinan berdampak negatif pada pekerjaan Anda.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and Level == "Error"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Operasi yang memiliki "Gagal"
Menampilkan semua operasi pada pekerjaan Anda yang telah mengakibatkan kegagalan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and status_s == "Failed"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Log Pembatasan Output (Cosmos DB, Power BI, Event Hubs)
Menampilkan semua instans di mana penulisan ke salah satu output Anda dibatasi oleh layanan tujuan.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type in ("DocumentDbOutputAdapterWriteThrottlingError", "EventHubOutputAdapterEventHubThrottlingError", "PowerBIServiceThrottlingError", "PowerBIServiceThrottlingError")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Kesalahan input dan output sementara
Menunjukkan semua kesalahan yang terkait dengan input dan output yang bersifat terputus-putus.
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type in ("AzureFunctionOutputAdapterTransientError", "BlobInputAdapterTransientError", "DataLakeOutputAdapterTransientError", "DocumentDbOutputAdapterTransientError", "EdgeHubOutputAdapterEdgeHubTransientError", "EventHubBasedInputInvalidOperationTransientError", "EventHubBasedInputOperationCanceledTransientError", "EventHubBasedInputTimeoutTransientError", "EventHubBasedInputTransientError", "EventHubOutputAdapterEventHubTransientError", "InputProcessorTransientFailure", "OutputProcessorTransientError", "ReferenceDataInputAdapterTransientError", "ServiceBusOutputAdapterTransientError", "TableOutputAdapterTransientError")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId
Ringkasan semua kesalahan data dalam 7 hari terakhir
Ringkasan semua kesalahan data dalam 7 hari terakhir.
AzureDiagnostics
| where TimeGenerated > ago(7d) //last 7 days
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type == "DataError"
| extend DataErrorType = tostring(parse_json(properties_s).DataErrorType)
| summarize Count=count(), sampleEvent=any(properties_s) by DataErrorType, JobName=Resource
Ringkasan semua kesalahan dalam 7 hari terakhir
Ringkasan semua kesalahan dalam 7 hari terakhir.
AzureDiagnostics
| where TimeGenerated > ago(7d) //last 7 days
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS"
| extend ErrorType = tostring(parse_json(properties_s).Type)
| summarize Count=count(), sampleEvent=any(properties_s) by ErrorType, JobName=Resource
Ringkasan operasi 'Gagal' dalam 7 hari terakhir
Ringkasan operasi 'Gagal' dalam 7 hari terakhir.
AzureDiagnostics
| where TimeGenerated > ago(7d) //last 7 days
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and status_s == "Failed"
| summarize Count=count(), sampleEvent=any(properties_s) by JobName=Resource
Saran dan Komentar
Segera hadir: Sepanjang tahun 2024 kami akan menghentikan penggunaan GitHub Issues sebagai mekanisme umpan balik untuk konten dan menggantinya dengan sistem umpan balik baru. Untuk mengetahui informasi selengkapnya, lihat: https://aka.ms/ContentUserFeedback.
Kirim dan lihat umpan balik untuk