如何发现谁在 Azure 门户中删除了群集How to discover who deleted a cluster in Azure portal

如果工作区中的某个群集已消失或已被删除,则可以通过在 Azure 门户中的Log Analytics 工作区服务中运行查询来识别哪个用户删除了该群集。If a cluster in your workspace has disappeared or been deleted, you can identify which user deleted it by running a query in the Log Analytics workspaces service in the Azure portal.

备注

如果尚未设置分析工作区,则必须在 Azure Databricks 中配置诊断日志记录,然后才能继续。If you do not have an analytics workspace set up, you must configure Diagnostic Logging in Azure Databricks before you continue.

  1. Log Analytics 工作区服务加载到 Azure 门户中。Load the Log Analytics workspaces service in the Azure portal.

  2. 单击工作区的名称。Click the name of your workspace.

  3. 单击 "日志"。Click Logs.

  4. 查找以下文本:在此处键入查询或单击其中一个示例查询开始Look for the following text: Type your query here or click one of the example queries to start.

    Azure Log Analytics 工作区Azure Log Analytics workspace

  5. 输入以下查询:Enter the following query:

    DatabricksClusters
    | where ActionName == "permanentDelete"
         and Response contains "\"statusCode\":200"
         and RequestParams contains "\"cluster_id\":\"0210-024915-bore731\""  // Add cluster_id filter if cluster id is known
         and TimeGenerated between(datetime("2020-01-25 00:00:00") .. datetime("2020-01-28 00:00:00"))  // Add timestamp (in UTC) filter to narrow down the result.
    | extend id = parse_json(Identity)
    | extend requestParams = parse_json(RequestParams)
    | project UserEmail=id.email,clusterId = requestParams.cluster_id, SourceIPAddress, EventTime=TimeGenerated
    
  6. 根据需要编辑cluster_idEdit the cluster_id as required.

  7. 编辑要在特定时间范围内筛选的日期时间值。Edit the datetime values to filter on a specific time range.

  8. 单击“运行”以执行查询。Click Run to execute the query.

结果(如果有)将显示在 "查询" 框下面。The results (if any) display below the query box.

查询结果

如果仍找不到已删除群集的用户,请使用 Microsoft 支持部门创建支持案例。If you are still unable to find who deleted the cluster, create a support case with Microsoft Support. 提供详细信息,例如,工作区 id和事件的时间范围(包括时区)。Provide details such as the workspace id and the time range of the event (including your time zone). Microsoft 支持部门将查看相应的后端活动日志。Microsoft Support will review the corresponding backend activity logs.