您现在访问的是微软AZURE全球版技术文档网站,若需要访问由世纪互联运营的MICROSOFT AZURE中国区技术文档网站,请访问 https://docs.azure.cn.

了解 Azure Resource Graph 查询语言Understanding the Azure Resource Graph query language

Azure Resource Graph 查询语言支持多个运算符和函数。The query language for the Azure Resource Graph supports a number of operators and functions. 每个工作和基于Kusto 查询语言(KQL)运行。Each work and operate based on Kusto Query Language (KQL). 若要了解资源关系图使用的查询语言,请从KQL 的教程开始。To learn about the query language used by Resource Graph, start with the tutorial for KQL.

本文介绍资源图支持的语言组件:This article covers the language components supported by Resource Graph:

资源图表表Resource Graph tables

资源图为它存储的数据提供了多个表,这些表用于资源管理器资源类型及其属性。Resource Graph provides several tables for the data it stores about Resource Manager resource types and their properties. 这些表可以与 @no__t 0 或 union 运算符一起使用,以获取相关资源类型的属性。These tables can be used with join or union operators to get properties from related resource types. 下面是资源图中可用表的列表:Here is the list of tables available in Resource Graph:

资源图表表Resource Graph tables 描述Description
资源Resources 如果未在查询中定义,则为默认表。The default table if none defined in the query. 大多数资源管理器资源类型和属性位于此处。Most Resource Manager resource types and properties are here.
ResourceContainersResourceContainers 包括订阅(Microsoft.Resources/subscriptions)和资源组(@no__t)资源类型和数据。Includes subscription (Microsoft.Resources/subscriptions) and resource group (Microsoft.Resources/subscriptions/resourcegroups) resource types and data.
AlertsManagementResourcesAlertsManagementResources 包括与 Microsoft.AlertsManagement_相关_的资源。Includes resources related to Microsoft.AlertsManagement.
SecurityResourcesSecurityResources 包括与 Microsoft.Security_相关_的资源。Includes resources related to Microsoft.Security.

备注

_资源_是默认表。Resources is the default table. 查询_资源_表时,不需要提供表名称,除非使用 joinunionWhile querying the Resources table, it isn't required to provide the table name unless join or union are used. 但是,建议的做法是始终在查询中包含初始表。However, the recommended practice is to always include the initial table in the query.

使用门户中的资源图形资源管理器来发现每个表中有哪些可用的资源类型。Use Resource Graph Explorer in the portal to discover what resource types are available in each table. 作为替代方法,使用查询(例如 <tableName> | distinct type)获取给定资源关系图表支持的资源类型的列表。As an alternative, use a query such as <tableName> | distinct type to get a list of resource types the given Resource Graph table supports that exist in your environment.

下面的查询显示了简单的 joinThe following query shows a simple join. 在此示例中,查询结果将列与联接的表中的所有重复列名称相加, _ResourceContainers_在此示例中追加1The query result blends the columns together and any duplicate column names from the joined table, ResourceContainers in this example, are appended with 1. 由于_ResourceContainers_表具有订阅和资源组的类型,因此可以使用 type 从_资源_表联接到资源。As ResourceContainers table has types for both subscriptions and resource groups, either type might be used to join to the resource from resources table.

Resources
| join ResourceContainers on subscriptionId
| limit 1

下面的查询显示 join 的更复杂用法。The following query shows a more complex use of join. 查询将联接的表限制为订阅资源,并将 project 以仅包含原始字段_subscriptionId_ ,并将_名称_字段重命名为 " context.subname"。The query limits the joined table to subscriptions resources and with project to include only the original field subscriptionId and the name field renamed to SubName. 字段重命名避免了将其添加为_name1_ join,因为资源已存在于_资源_中。The field rename avoids join adding it as name1 since the field already exists in Resources. where 筛选原始表,以下 project 包括这两个表中的列。The original table is filtered with where and the following project includes columns from both tables. 查询结果是单个密钥保管库,其中显示类型、密钥保管库的名称以及其所在的订阅的名称。The query result is a single key vault displaying type, the name of the key vault, and the name of the subscription it's in.

Resources
| join (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId
| where type == 'microsoft.keyvault/vaults'
| project type, name, SubName
| limit 1

备注

当使用 @no__t @no__t 的结果限制为0时,join 使用的属性来关联两个表,以上示例中的_subscriptionId_必须包括在 project 中。When limiting the join results with project, the property used by join to relate the two tables, subscriptionId in the above example, must be included in project.

支持的 KQL 语言元素Supported KQL language elements

资源图表支持所有 KQL数据类型标量函数标量运算符聚合函数Resource Graph supports all KQL data types, scalar functions, scalar operators, and aggregation functions. 资源图表支持特定的表格运算符,其中一些运算符具有不同的行为。Specific tabular operators are supported by Resource Graph, some of which have different behaviors.

支持的表格/顶层运算符Supported tabular/top level operators

下面是包含特定示例的资源关系图支持的 KQL 表格运算符列表:Here is the list of KQL tabular operators supported by Resource Graph with specific samples:

KQLKQL 资源图示例查询Resource Graph sample query 说明Notes
countcount 统计密钥保管库Count key vaults
distinctdistinct 显示特定别名的非重复值Show distinct values for a specific alias
extendextend 按 OS 类型对虚拟机进行计数Count virtual machines by OS type
joinjoin 具有订阅名称的密钥保管库Key vault with subscription name 支持的联接风格: inneruniqueinnerleftouterJoin flavors supported: innerunique, inner, leftouter. 单个查询中的限制为 3 joinLimit of 3 join in a single query. 不允许使用自定义联接策略,例如广播联接。Custom join strategies, such as broadcast join, aren't allowed. 可以在单个表中使用,也可以在 "资源" 和 " ResourceContainers " 表之间使用。May be used within a single table or between the Resources and ResourceContainers tables.
limitlimit 列出所有公共 IP 地址List all public IP addresses @No__t 的同义词Synonym of take
mv 展开mv-expand 列出具有特定写入位置 Cosmos DBList Cosmos DB with specific write locations _RowLimit_最大值为400RowLimit max of 400
为了order 列出按名称排序的资源List resources sorted by name @No__t 的同义词Synonym of sort
projectproject 列出按名称排序的资源List resources sorted by name
project-awayproject-away 从结果中删除列Remove columns from results
sortsort 列出按名称排序的资源List resources sorted by name @No__t 的同义词Synonym of order
summarizesummarize 对 Azure 资源进行计数Count Azure resources 仅简化的首页Simplified first page only
taketake 列出所有公共 IP 地址List all public IP addresses @No__t 的同义词Synonym of limit
返回页首top 按名称及其 OS 类型显示前五个虚拟机Show first five virtual machines by name and their OS type
unionunion 将两个查询的结果合并为单个结果Combine results from two queries into a single result 允许使用单个表: T | union [ @ no__t inner @ no__t [ @ no__t-9_ColumnName_1_表_。Single table allowed: T | union [kind= inner|outer] [withsource=ColumnName] Table. 单个查询中的最大值为 3 unionLimit of 3 union legs in a single query. 不允许对 @no__t 的支线表进行模糊处理。Fuzzy resolution of union leg tables isn't allowed. 可以在单个表中使用,也可以在 "资源" 和 " ResourceContainers " 表之间使用。May be used within a single table or between the Resources and ResourceContainers tables.
wherewhere 显示包含存储的资源Show resources that contain storage

转义字符Escape characters

某些属性名称(如包含 .$ 的属性名称)在查询中必须进行包装或转义,或者属性名称被错误解释,不提供预期结果。Some property names, such as those that include a . or $, must be wrapped or escaped in the query or the property name is interpreted incorrectly and doesn't provide the expected results.

  • .-将属性名称包装为: ['propertyname.withaperiod']. - Wrap the property name as such: ['propertyname.withaperiod']

    包装属性 odata 的示例查询 。键入Example query that wraps the property odata.type:

    where type=~'Microsoft.Insights/alertRules' | project name, properties.condition.['odata.type']
    
  • $-对属性名称中的字符进行转义。$ - Escape the character in the property name. 使用的转义字符取决于从运行的 shell 资源关系图。The escape character used depends on the shell Resource Graph is run from.

    • bash - @ no__t-2bash - \

      用于在 bash 中转义 _@no__t_属性的示例查询:Example query that escapes the property $type in bash:

      where type=~'Microsoft.Insights/alertRules' | project name, properties.condition.\$type
      
    • cmd -不要转义 $ 字符。cmd - Don't escape the $ character.

    • PowerShell - `PowerShell - `

      _@No__t_ PowerShell 中的属性进行转义的示例查询:Example query that escapes the property $type in PowerShell:

      where type=~'Microsoft.Insights/alertRules' | project name, properties.condition.`$type
      

后续步骤Next steps