您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

Azure Monitor 中的日志查询概述Overview of log queries in Azure Monitor

日志查询可帮助你充分利用 Azure Monitor 日志中收集的数据的价值。Log queries help you to fully leverage the value of the data collected in Azure Monitor Logs. 使用功能强大的查询语言,只需编写极少量的代码即可联接多个表中的数据、聚合大型数据集,以及执行复杂的操作。A powerful query language allows you to join data from multiple tables, aggregate large sets of data, and perform complex operations with minimal code. 只要收集了支持数据,并且你了解如何构造适当的查询,就几乎能够解答任何问题和执行分析。Virtually any question can be answered and analysis performed as long as the supporting data has been collected, and you understand how to construct the right query.

Azure Monitor 中的某些功能(例如见解解决方案)可以处理日志数据,且不会在基础查询中透露你的身份。Some features in Azure Monitor such as insights and solutions process log data without exposing you to the underlying queries. 若要充分利用 Azure Monitor 的其他功能,应该了解如何构造查询,以及如何使用它们以交互方式分析 Azure Monitor 日志中的数据。To fully leverage other features of Azure Monitor, you should understand how queries are constructed and how you can use them to interactively analyze data in Azure Monitor Logs.

可以使用本文作为起点来了解 Azure Monitor 中的日志查询。Use this article as a starting point to learning about log queries in Azure Monitor. 其中解答了常见问题,并提供了包含更多详细信息的其他文档和课程的链接。It answers common questions and provides links to other documentation that provides further details and lessons.

如何学习查询编写方法?How can I learn how to write queries?

如果你想要直奔主题,可从以下教程着手:If you want to jump right into things, you can start with the following tutorials:

掌握基础知识后,可从以下文章着手,使用自己的数据或者演示环境中的数据学完多篇课程:Once you have the basics down, walk through multiple lessons using either your own data or data from our demo environment starting with:

日志查询使用哪种语言?What language do log queries use?

Azure Monitor 日志基于 Azure 数据资源管理器,日志查询是使用相同的 Kusto 查询语言 (KQL) 编写的。Azure Monitor Logs is based on Azure Data Explorer, and log queries are written using the same Kusto query language (KQL). 这是一种旨在方便阅读和创作的丰富语言,只需接受少量的指导,你就可以开始使用它。This is a rich language designed to be easy to read and author, and you should be able to start using it with minimal guidance.

有关 KQL 的完整文档以及有关各种可用功能的参考,请参阅 Azure 数据资源管理器 KQL 文档See Azure Data Explorer KQL documentation for complete documentation on KQL and reference on different functions available.
有关使用 Azure Monitor 日志中的数据的快速语言演练,请参阅 Azure Monitor 中的日志查询入门See Get started with log queries in Azure Monitor for a quick walkthrough of the language using data from Azure Monitor Logs. 有关 Azure Monitor 使用的 KQL 版本的次要差别,请参阅 Azure Monitor 日志查询语言的差别See Azure Monitor log query language differences for minor differences in the version of KQL used by Azure Monitor.

日志查询可以使用哪些数据?What data is available to log queries?

在日志查询中,可以检索和分析 Azure Monitor 日志中收集的所有数据。All data collected in Azure Monitor Logs is available to retrieve and analyze in log queries. 不同的数据源会将其数据写入不同的表,但你可以在单个查询中包含多个表,以分析多个源中的数据。Different data sources will write their data to different tables, but you can include multiple tables in a single query to analyze data across multiple sources. 生成查询时,首先需要确定哪些表包含你要查找的数据,因此,你至少应该对 Azure Monitor 日志中的数据构建方式有一个基本的了解。When you build a query, you start by determining which tables have the data that you're looking for, so you should have at least a basic understanding of how data in Azure Monitor Logs is structured.

有关填充 Azure Monitor 日志的不同数据源列表,请参阅 Azure Monitor 日志的源See Sources of Azure Monitor Logs, for a list of different data sources that populate Azure Monitor Logs.
有关数据构建方式的说明,请参阅 Azure Monitor 日志的结构See Structure of Azure Monitor Logs for an explanation of how the data is structured.

日志查询的大致形式是怎样的?What does a log query look like?

查询可以很简单,只包含一个用于从相应的表中检索所有记录的表名称:A query could be as simple as a single table name for retrieving all records from that table:


或者,它可以针对特定的记录进行筛选、汇总记录,然后在图表中将结果可视化:Or it could filter for particular records, summarize them, and visualize the results in a chart:

| where TimeGenerated > ago(7d)
| where EventID == 4625
| summarize count() by Computer, bin(TimeGenerated, 1h)
| render timechart 

对于更复杂的分析,可以使用联接从多个表中检索数据,以统一分析结果。For more complex analysis, you might retrieve data from multiple tables using a join to analyze the results together.

| summarize count() by bin(timestamp,1hr)
| join kind= inner (Perf
    | summarize avg(CounterValue) 
      by bin(TimeGenerated,1hr))
on $left.timestamp == $right.TimeGenerated

即使你不熟悉 KQL,也至少应该能够猜想到这些查询使用的基本逻辑。Even if you aren't familiar with KQL, you should be able to at least figure out the basic logic being used by these queries. 日志查询以表名称开头,然后添加多个命令用于筛选和处理这些数据。They start with the name of a table and then add multiple commands to filter and process that data. 一个查询可以使用任意数量的命令,在熟悉可用的不同 KQL 命令后,你可以编写更复杂的查询。A query can use any number of commands, and you can write more complex queries as you become familiar with the different KQL commands available.

有关介绍语言和常用功能的日志查询教程,请参阅 Azure Monitor 中的日志查询入门See Get started with log queries in Azure Monitor for a tutorial on log queries that introduces the language and common functions, .

什么是 Log Analytics?What is Log Analytics?

Log Analytics 是 Azure 门户中用于编写日志查询以及以交互方式分析其结果的主要工具。Log Analytics is the primary tool in the Azure portal for writing log queries and interactively analyzing their results. 即使在 Azure Monitor 中的其他位置使用某个日志查询,通常你也会先使用 Log Analytics 编写和测试该查询。Even if a log query is used elsewhere in Azure Monitor, you'll typically write and test the query first using Log Analytics.

可以从 Azure 门户中的多个位置启动 Log Analytics。You can start Log Analytics from several places in the Azure portal. Log Analytics 可用的数据范围由其启动方式决定。The scope of the data available to Log Analytics is determined by how you start it. 有关更多详细信息,请参阅查询范围See Query Scope for more details.

  • 从“Azure Monitor”菜单或“Log Analytics 工作区”菜单中选择“日志”。 Select Logs from the Azure Monitor menu or Log Analytics workspaces menu.
  • 从 Application Insights 应用程序的“概述”页中选择“日志”。 Select Logs from the Overview page of an Application Insights application.
  • 从 Azure 资源的菜单中选择“日志”。Select Logs from the menu of an Azure resource.

Log Analytics

有关介绍 Log Analytics 的多种功能的教程演练,请参阅 Azure Monitor 中的 Log Analytics 入门See Get started with Log Analytics in Azure Monitor for a tutorial walkthrough of Log Analytics that introduces several of its features.

还可在其他哪些位置使用日志查询?Where else are log queries used?

除了在 Log Analytics 中以交互方式处理日志查询及其结果以外,还可以在 Azure Monitor 中的以下区域使用查询:In addition to interactively working with log queries and their results in Log Analytics, areas in Azure Monitor where you will use queries include the following:

  • 警报规则。Alert rules. 警报规则主动识别工作区中数据的问题。Alert rules proactively identify issues from data in your workspace. 每个警报规则均基于定期自动运行的日志搜索。Each alert rule is based on a log search that is automatically run at regular intervals. 对结果进行检查,确定是否应创建警报。The results are inspected to determine if an alert should be created.
  • 仪表板。Dashboards. 可以将任何查询的结果固定到 Azure 仪表板,这使得你可以将日志和指标数据一起可视化,并且还可以将其与其他 Azure 用户共享。You can pin the results of any query into an Azure dashboard which allow you to visualize log and metric data together and optionally share with other Azure users.
  • 视图。Views. 可以使用视图设计器创建要包含在用户仪表板中的数据的可视化效果。You can create visualizations of data to be included in user dashboards with View Designer. 日志查询提供每个视图中磁贴可视化部件使用的数据。Log queries provide the data used by tiles and visualization parts in each view.
  • 导出。Export. 将日志数据从 Azure Monitor 导入到 Excel 或 Power BI 中时,请创建日志查询来定义要导出的数据。When you import log data from Azure Monitor into Excel or Power BI, you create a log query to define the data to export.
  • PowerShell。PowerShell. 可从命令行运行 PowerShell 脚本或运行使用 Get-AzOperationalInsightsSearchResults 的 Azure 自动化 runbook,从 Azure Monitor 中检索日志数据。You can run a PowerShell script from a command line or an Azure Automation runbook that uses Get-AzOperationalInsightsSearchResults to retrieve log data from Azure Monitor. 此 cmdlet 需要一个查询来确定要检索的数据。This cmdlet requires a query to determine the data to retrieve.
  • Azure Monitor 日志 API。Azure Monitor Logs API. Azure Monitor 日志 API 允许任何 REST API 客户端从工作区中检索日志数据。The Azure Monitor Logs API allows any REST API client to retrieve log data from the workspace. API 请求包括针对 Azure Monitor 运行的查询,用于确定要检索的数据。The API request includes a query that is run against Azure Monitor to determine the data to retrieve.

后续步骤Next steps