Transizione al nuovo linguaggio di query di Azure Log AnalyticsTransitioning to Azure Log Analytics new query language

Log Analytics ha recentemente implementato un nuovo linguaggio di query.Log Analytics recently implemented a new query language. Questo articolo offre informazioni utili per la transizione a questo linguaggio di Log Analytics se si ha già familiarità con il linguaggio legacy ma è comunque necessaria assistenza.This article provides assistance on transitioning to this language for Log Analytics if you're already familiar with the legacy language and still need some assistance.

RisorseResources

Convertitore di linguaggioLanguage converter

Se si ha familiarità con il linguaggio di query di Log Analytics legacy, il modo più semplice per creare la stessa query nel nuovo linguaggio consiste nell'usare il convertitore di linguaggio che viene installato nel portale per la ricerca log al momento della conversione dell'area di lavoro.If you're familiar with the legacy Log Analytics query language, the easiest way to create the same query in the new language is to use the Language Converter that's installed in the Log Search portal when your workspace is converted. L'uso del convertitore è molto semplice. È sufficiente digitare una query legacy nella casella di testo superiore e quindi fare clic su Converti.Using the converter is as simple as typing in a legacy query in the top text box and then clicking Convert. È possibile fare clic sul pulsante di ricerca per eseguire la query o copiare e incollare la query per usarla altrove.You can either click the search button to run the query or copy and paste it to use it somewhere else.

Convertitore di linguaggio

RisorseResources

Sul sito della documentazione per il linguaggio di query di Log Analytics sono disponibili tutte le risorse necessarie per imparare a usare velocemente il nuovo linguaggio,The documentation site for the Log Analytics Query Language has all the resources you need to come up to speed on the new language. inclusi esempi, esercitazioni e una guida di riferimento completa.This includes tutorials, examples, and a complete language reference.

Tabella di riepilogoCheat sheet

La tabella seguente mette a confronto i comandi equivalenti di svariate query comuni per il linguaggio di query legacy e nuovo di Azure Log Analytics.The following table provides a comparison between a variety of common queries to equivalent commands between the new and legacy query language in Azure Log Analytics.

DescrizioneDescription LegacyLegacy Nuovonew
Ricerca in tutte le tabelleSearch all tables errorerror ricerca di "error" (senza distinzione tra maiuscole/minuscole)search "error" (not case sensitive)
Selezione di dati da una tabellaSelect data from table Type=EventType=Event EventEvent
Type=Event | select Source, EventLog, EventIDType=Event | select Source, EventLog, EventID Event | project Source, EventLog, EventIDEvent | project Source, EventLog, EventID
Type=Event | top 100Type=Event | top 100 Event | take 100Event | take 100
Confronto di stringheString comparison Type=Event Computer=srv01.contoso.comType=Event Computer=srv01.contoso.com Event | where Computer == "srv01.contoso.com"Event | where Computer == "srv01.contoso.com"
Type=Event Computer=contains("contoso")Type=Event Computer=contains("contoso") Event | where Computer contains "contoso" (senza distinzione tra maiuscole/minuscole)Event | where Computer contains "contoso" (not case sensitive)
Event | where Computer contains_cs "Contoso" (con distinzione tra maiuscole/minuscole)Event | where Computer contains_cs "Contoso" (case sensitive)
Type=Event Computer=RegEx("@contoso@")Type=Event Computer=RegEx("@contoso@") Event | where Computer matches regex ".contoso"Event | where Computer matches regex ".contoso"
Confronto di dateDate comparison Type=Event TimeGenerated > NOW-1DAYSType=Event TimeGenerated > NOW-1DAYS Event | where TimeGenerated > ago(1d)Event | where TimeGenerated > ago(1d)
Type=Event TimeGenerated>2017-05-01 TimeGenerated<2017-05-31Type=Event TimeGenerated>2017-05-01 TimeGenerated<2017-05-31 Event | where TimeGenerated between (datetime(2017-05-01) ..Event | where TimeGenerated between (datetime(2017-05-01) .. datetime(2017-05-31))datetime(2017-05-31))
Confronto booleanoBoolean comparison Type=Heartbeat IsGatewayInstalled=falseType=Heartbeat IsGatewayInstalled=false Heartbeat \Heartbeat \
OrdinamentoSort Type=Event | sort Computer asc, EventLog desc, EventLevelName ascType=Event | sort Computer asc, EventLog desc, EventLevelName asc Event \Event \
DistinzioneDistinct Type=Event | dedup Computer \Type=Event | dedup Computer \ select Computerselect Computer
Estensione di colonneExtend columns Type=Perf CounterName="% Processor Time" | EXTEND if(map(CounterValue,0,50,0,1),"HIGH","LOW") as UTILIZATIONType=Perf CounterName="% Processor Time" | EXTEND if(map(CounterValue,0,50,0,1),"HIGH","LOW") as UTILIZATION Perf | where CounterName == "% Processor Time" \Perf | where CounterName == "% Processor Time" \
AggregazioneAggregation Type=Event | measure count() as Count by ComputerType=Event | measure count() as Count by Computer Event | summarize Count = count() by ComputerEvent | summarize Count = count() by Computer
Type=Perf ObjectName=Processor CounterName="% Processor Time" | measure avg(CounterValue) by Computer interval 5minuteType=Perf ObjectName=Processor CounterName="% Processor Time" | measure avg(CounterValue) by Computer interval 5minute Perf | where ObjectName=="Processor" and CounterName=="% Processor Time" | summarize avg(CounterValue) by Computer, bin(TimeGenerated, 5min)Perf | where ObjectName=="Processor" and CounterName=="% Processor Time" | summarize avg(CounterValue) by Computer, bin(TimeGenerated, 5min)
Aggregazione con limiteAggregation with limit Type=Event | measure count() by Computer | top 10Type=Event | measure count() by Computer | top 10 Event | summarize AggregatedValue = count() by Computer | limit 10Event | summarize AggregatedValue = count() by Computer | limit 10
UnioneUnion Type=Event or Type=SyslogType=Event or Type=Syslog union Event, Syslogunion Event, Syslog
JoinJoin Type=NetworkMonitoring | join inner AgentIP (Type=Heartbeat) ComputerIPType=NetworkMonitoring | join inner AgentIP (Type=Heartbeat) ComputerIP NetworkMonitoring | join kind=inner (search Type == "Heartbeat") on $left.AgentIP == $right.ComputerIPNetworkMonitoring | join kind=inner (search Type == "Heartbeat") on $left.AgentIP == $right.ComputerIP

Passaggi successiviNext steps