教學課程:開始使用 Log Analytics 查詢Tutorial: Get started with Log Analytics queries

本教學課程說明如何在 Azure 入口網站中使用 Log Analytics 來撰寫、執行和管理 Azure 監視器記錄查詢。This tutorial shows you how to use Log Analytics to write, execute, and manage Azure Monitor log queries in the Azure portal. 您可以使用 Log Analytics 查詢來搜尋字詞、識別趨勢、分析模式,以及從您的資料提供許多其他見解。You can use Log Analytics queries to search for terms, identify trends, analyze patterns, and provide many other insights from your data.

在本教學課程中,您將了解如何使用 Log Analytics 執行下列動作:In this tutorial, you learn how to use Log Analytics to:

  • 了解記錄資料結構描述Understand the log data schema
  • 撰寫和執行簡單的查詢,以及修改查詢的時間範圍Write and run simple queries, and modify the time range for queries
  • 對查詢結果進行篩選、排序和分組Filter, sort, and group query results
  • 檢視、修改和共用查詢結果的視覺效果View, modify, and share visuals of query results
  • 儲存、載入、匯出及複製查詢和結果Save, load, export, and copy queries and results

如需記錄查詢的詳細資訊,請參閱 Azure 監視器中的記錄查詢概觀For more information about log queries, see Overview of log queries in Azure Monitor.
如需撰寫記錄查詢的詳細教學課程,請參閱開始使用 Azure 監視器中的記錄查詢For a detailed tutorial on writing log queries, see Get started with log queries in Azure Monitor.

開啟 Log AnalyticsOpen Log Analytics

若要使用 Log Analytics,您必須登入 Azure 帳戶。To use Log Analytics, you need to be signed in to an Azure account. 如果您沒有 Azure 帳戶,請建立一個免費帳戶If you don't have an Azure account, create one for free.

若要完成本教學課程中大部分的步驟,您可以使用此示範環境,其中包含許多範例資料。To complete most of the steps in this tutorial, you can use this demo environment, which includes plenty of sample data. 在示範環境中,您將無法儲存查詢,或將結果釘選到儀表板。With the demo environment, you won't be able to save queries or pin results to a dashboard.

如果您要使用 Azure 監視器收集至少一項 Azure 資源的記錄資料,您也可以使用自己的環境。You can also use your own environment, if you're using Azure Monitor to collect log data on at least one Azure resource. 若要開啟 Log Analytics 工作區,請在 Azure 監視器的左側導覽中選取 [記錄] 。To open a Log Analytics workspace, in your Azure Monitor left navigation, select Logs.

了解結構描述Understand the schema

結構描述是分組於邏輯類別下的資料表集合。A schema is a collection of tables grouped under logical categories. 示範結構描述有數個來自監視解決方案的類別。The Demo schema has several categories from monitoring solutions. 例如,LogManagement 類別包含 Windows 和 Syslog 事件、效能資料與代理程式活動訊號。For example, the LogManagement category contains Windows and Syslog events, performance data, and agent heartbeats.

結構描述資料表會出現在 Log Analytics 工作區的 [資料表] 索引標籤上。The schema tables appear on the Tables tab of the Log Analytics workspace. 這些資料表包含資料行,並且分別以其資料行名稱旁的圖示顯示資料類型。The tables contain columns, each with a data type shown by the icon next to the column name. 例如,事件資料表包含文字資料行 (例如 Computer) 和數值資料行 (例如 EventCategory)。For example, the Event table contains text columns like Computer and numerical columns like EventCategory.

螢幕擷取畫面會顯示含有新查詢的 Azure 入口網站記錄頁面,並醒目提示已醒目提示 [電腦] 和 [EventCategory] 的 [資料表] 窗格。

撰寫和執行基本查詢Write and run basic queries

Log Analytics 會在查詢編輯器中以新的空白查詢開啟。Log Analytics opens with a new blank query in the Query editor.

Log Analytics

撰寫查詢Write a query

Azure 監視器記錄查詢會使用 Kusto 查詢語言的版本。Azure Monitor log queries use a version of the Kusto query language. 查詢可以透過資料表名稱或 search 命令開始進行。Queries can begin with either a table name or a search command.

下列查詢會從事件資料表中擷取所有記錄:The following query retrieves all records from the Event table:

Event

縱線 (|) 字元會分隔命令,因此第一個命令的輸出就是下一個命令的輸入。The pipe (|) character separates commands, so the output of the first command is the input of the next command. 您可以在單一查詢中新增任意數目的命令。You can add any number of commands to a single query. 下列查詢會從事件資料表中擷取記錄,然後在其中搜尋任何屬性中的字詞錯誤The following query retrieves the records from the Event table, and then searches them for the term error in any property:

Event 
| search "error"

單一分行符號可讓查詢更容易閱讀。A single line break makes queries easier to read. 多個分行符號會將查詢分割成不同的查詢。More than one line break splits the query into separate queries.

另一種撰寫相同查詢的方式為:Another way to write the same query is:

search in (Event) "error"

在第二個範例中,search 命令只會搜尋事件資料表中的記錄,以取得字詞錯誤In the second example, the search command searches only records in the Events table for the term error.

根據預設,Log Analytics 會將查詢限制為過去 24 小時的時間範圍。By default, Log Analytics limits queries to a time range of the past 24 hours. 若要設定不同的時間範圍,您可以將明確的 TimeGenerated 篩選條件新增至查詢,或使用時間範圍控制項。To set a different time range, you can add an explicit TimeGenerated filter to the query, or use the Time range control.

使用時間範圍控制項Use the Time range control

若要使用時間範圍控制項,請在頂端列中加以選取,然後從下拉式清單中選取一個值,或選取 [自訂] 以建立自訂時間範圍。To use the Time range control, select it in the top bar, and then select a value from the dropdown list, or select Custom to create a custom time range.

時間選擇器

  • 時間範圍值採用 UTC 格式,這可能與您當地的時區不同。Time range values are in UTC, which could be different than your local time zone.
  • 如果查詢明確設定了 TimeGenerated 的篩選條件,則時間選擇器控制項會顯示「在查詢中設定」 ,且會停用以避免發生衝突。If the query explicitly sets a filter for TimeGenerated, the time picker control shows Set in query, and is disabled to prevent a conflict.

執行查詢Run a query

若要執行查詢,請將游標放在查詢內的某處,並選取位於頂端列的 [執行] ,或按 Shift+EnterTo run a query, place your cursor somewhere inside the query, and select Run in the top bar or press Shift+Enter. 查詢會持續執行,直到找到空白行為止。The query runs until it finds a blank line.

篩選結果Filter results

Log Analytics 會將結果限制為最多 10,000 筆記錄。Log Analytics limits results to a maximum of 10,000 records. Event 之類的一般查詢會傳回太多的結果而難以使用。A general query like Event returns too many results to be useful. 您可以藉由限制查詢中的資料表元素,或明確地將篩選條件新增至結果,來篩選查詢結果。You can filter query results either through restricting the table elements in the query, or by explicitly adding a filter to the results. 透過資料表元素進行篩選會傳回新的結果集,而明確的篩選條件則會套用至現有的結果集。Filtering through the table elements returns a new result set, while an explicit filter applies to the existing result set.

藉由限制資料表元素進行篩選Filter by restricting table elements

若要藉由限制查詢中的資料表元素將 Event 查詢結果篩選為錯誤事件:To filter Event query results to Error events by restricting table elements in the query:

  1. 在查詢結果中,選取在 [EventLevelName] 資料行中具有錯誤的任何記錄旁的下拉式箭號。In the query results, select the dropdown arrow next to any record that has Error in the EventLevelName column.

  2. 在展開的詳細資料中,將滑鼠停留在上方,並選取 [EventLevelName] 旁的 [...] ,然後選取 [包含「錯誤」] 。In the expanded details, hover over and select the ... next to EventLevelName, and then select Include "Error".

    將篩選新增至查詢

  3. 請注意,查詢編輯器中的查詢現在已變更為:Notice that the query in the Query editor has now changed to:

    Event
    | where EventLevelName == "Error"
    
  4. 選取 [執行] 以執行新的查詢。Select Run to run the new query.

藉由明確篩選結果來進行篩選Filter by explicitly filtering results

若要藉由篩選查詢結果將 Event 查詢結果篩選為錯誤事件:To filter the Event query results to Error events by filtering the query results:

  1. 在查詢結果中,選取資料行標題 EventLevelName 旁邊的 [篩選] 圖示。In the query results, select the Filter icon next to the column heading EventLevelName.

  2. 在快顯視窗的第一個欄位中選取 [等於] ,然後在下一個欄位中輸入錯誤In the first field of the pop-up window, select Is equal to, and in the next field, enter error.

  3. 選取 [篩選] 。Select Filter.

    螢幕擷取畫面會顯示結果的資料表,其中包含可依 EventLevelName 篩選結果的內容功能表。

排序、分群和選取資料行Sort, group, and select columns

若要依特定資料行排序查詢結果 (例如 TimeGenerated [UTC] ),請選取資料行標題。To sort query results by a specific column, such as TimeGenerated [UTC], select the column heading. 再次選取標題,可在遞增和遞減順序之間切換。Select the heading again to toggle between ascending and descending order.

排序資料行

群組是另一種組織結果的方式。Another way to organize results is by groups. 若要依特定資料行將結果分組,請將資料行標頭拖曳至標示為「將資料行標頭拖放到此處可依據該資料行分組」 的結果資料表上方。To group results by a specific column, drag the column header to the bar above the results table labeled Drag a column header and drop it here to group by that column. 若要建立子群組,請將其他資料行拖曳到上方列。To create subgroups, drag other columns to the upper bar. 您可以在該列中重新排列群組與子群組的階層和排序。You can rearrange the hierarchy and sorting of the groups and subgroups in the bar.

螢幕擷取畫面會顯示 EventLevelName 和電腦的子群組查詢結果。

若要隱藏或顯示結果中的資料行,請選取資料表上方的 [資料行] ,然後從下拉式清單中選取或取消選取您要的資料行。To hide or show columns in the results, select Columns above the table, and then select or deselect the columns you want from the dropdown list.

Select columns

檢視和修改圖表View and modify charts

您也可以用視覺化格式查看查詢結果。You can also see query results in visual formats. 請輸入下列查詢作為範例:Enter the following query as an example:

Event 
| where EventLevelName == "Error" 
| where TimeGenerated > ago(1d) 
| summarize count() by Source 

根據預設,結果會顯示在資料表中。By default, results appear in a table. 選取資料表上方的 [圖表] ,以在圖形檢視中查看結果。Select Chart above the table to see the results in a graphic view.

長條圖

結果會顯示在堆疊長條圖中。The results appear in a stacked bar chart. 選取其他選項 (例如 [堆疊資料行] 或 [圓形圖] ),以顯示結果的其他檢視。Select other options like Stacked Column or Pie to show other views of the results.

圓形圖

您可以從控制列手動變更檢視的屬性,例如 x 和 y 軸,或分組及分割喜好設定。You can change properties of the view, such as x and y axes, or grouping and splitting preferences, manually from the control bar.

您也可以使用 render 運算子對查詢本身設定慣用檢視。You can also set the preferred view in the query itself, using the render operator.

將結果釘選到儀表板Pin results to a dashboard

若要將結果資料表或圖表從 Log Analytics 釘選到共用的 Azure 儀表板,請選取頂端列上的 [釘選到儀表板] 。To pin a results table or chart from Log Analytics to a shared Azure dashboard, select Pin to dashboard on the top bar.

釘選到儀表板

在 [釘選到另一個儀表板] 窗格中,選取或建立要釘選到的共用儀表板,然後選取 [套用] 。In the Pin to another dashboard pane, select or create a shared dashboard to pin to, and select Apply. 資料表或圖表會出現在選取的 Azure 儀表板上。The table or chart appears on the selected Azure dashboard.

已釘選到儀表板的圖表

您釘選到共用儀表板的資料表或圖表有下列簡化:A table or chart that you pin to a shared dashboard has the following simplifications:

  • 資料限制為過去 14 天。Data is limited to the past 14 days.
  • 資料表最多只會顯示四個資料行和前七個資料列。A table shows only up to four columns and the top seven rows.
  • 具有許多不同類別的圖表,會自動將較少填入的類別分組到單一的其他資料箱中。Charts with many discrete categories automatically group less populated categories into a single others bin.

儲存、載入或匯出查詢Save, load, or export queries

建立查詢之後,您可以儲存查詢或結果,或將其與其他人共用。Once you create a query, you can save or share the query or results with others.

儲存查詢Save queries

若要儲存查詢:To save a query:

  1. 選取頂端列上的 [儲存] 。Select Save on the top bar.

  2. 在 [儲存] 對話方塊中,使用字元 a-z、A-Z、0-9、空格、連字號、底線、句號、括弧或縱線字元,為查詢提供名稱In the Save dialog, give the query a Name, using the characters a–z, A–Z, 0-9, space, hyphen, underscore, period, parenthesis, or pipe.

  3. 選取要將查詢儲存為查詢還是函式Select whether to save the query as a Query or a Function. 函式是可供其他查詢參考的查詢。Functions are queries that other queries can reference.

    若要將查詢儲存為函式,請提供函式別名,這是讓其他查詢用來呼叫此查詢的簡短名稱。To save a query as a function, provide a Function Alias, which is a short name for other queries to use to call this query.

  4. 如果您位於 Log Analytics 工作區,請提供類別,以供查詢總管用來查詢。If you are in a Log Analytics workspace, provide a Category for Query explorer to use for the query. (類別不適用於 Application Insights 查詢)(Categories aren't available for Applications Insights queries)

  5. 選取 [儲存]。Select Save.

    儲存函式

載入查詢Load queries

若要載入已儲存的查詢,請選取右上方的 [查詢總管]。To load a saved query, select Query explorer at upper right. [查詢總管] 窗格隨即開啟,並依類別列出所有查詢。The Query explorer pane opens, listing all queries by category. 展開類別或在搜尋列中輸入查詢名稱,然後選取查詢,以將其載入至 [查詢編輯器]。Expand the categories or enter a query name in the search bar, then select a query to load it into the Query editor. 您可以選取查詢名稱旁邊的星號,以將查詢標示為我的最愛You can mark a query as a Favorite by selecting the star next to the query name.

查詢總管

匯出及共用查詢Export and share queries

若要匯出查詢,請選取頂端列上的 [匯出],然後從下拉式清單中選取 [匯出至 CSV - 所有資料行]、[匯出至 CSV - 顯示的資料行] 或 [匯出至 Power BI (M 查詢)]。To export a query, select Export on the top bar, and then select Export to CSV - all columns, Export to CSV - displayed columns, or Export to Power BI (M query) from the dropdown list.

下列影片說明如何整合 Log Analytics 與 Excel。The following video shows you how to integrate Log Analytics with Excel.

若要共用查詢的連結,請選取頂端列上的 [複製連結],然後選取 [複製連結以查詢]、[複製查詢文字] 或 [複製查詢結果],以複製到剪貼簿。To share a link to a query, select Copy link on the top bar, and then select Copy link to query, Copy query text, or Copy query results to copy to the clipboard. 您可以將查詢連結傳送給有權存取相同工作區的其他人。You can send the query link to others who have access to the same workspace.

後續步驟Next steps

請前往下一個教學課程,以深入了解如何撰寫 Azure 監視器記錄查詢。Advance to the next tutorial to learn more about writing Azure Monitor log queries.