開始使用 Azure 監視器中的 Log AnalyticsGet started with Log Analytics in Azure Monitor


您可以在您自己的 Log Analytics 環境中進行此練習,也可以使用我們的示範環境,其中包括許多範例資料。You can work through this exercise in your own Log Analytics environment, or you can use our Demo environment, which includes plenty of sample data.

在本教學課程中,您將了解如何使用 Azure 入口網站中的 Log Analytics 來撰寫 Azure 監視器記錄查詢。In this tutorial you will learn how to use Log Analytics in the Azure portal to write Azure Monitor log queries. 它會告訴您如何:It will teach you how to:

  • 使用 Log Analytics 來撰寫簡單的查詢Use Log Analytics to write a simple query
  • 了解資料的結構描述Understand the schema of your data
  • 篩選、排序和群組結果Filter, sort, and group results
  • 套用時間範圍Apply a time range
  • 建立圖表Create charts
  • 儲存及載入查詢Save and load queries
  • 匯出及共用查詢Export and share queries

如需寫入記錄檔查詢的教學課程,請參閱開始使用 Azure 監視器中的記錄檔查詢For a tutorial on writing log queries, see Get started with log queries in Azure Monitor.
如需詳細的記錄檔查詢的詳細資訊,請參閱 < 查詢 Azure 監視器中的記錄檔概觀For more details on log queries, see Overview of log queries in Azure Monitor.

符合 Log AnalyticsMeet Log Analytics

Log Analytics 是用來撰寫及執行 Azure 監視器記錄檔查詢的 web 工具。Log Analytics is a web tool used to write and execute Azure Monitor log queries. 從「Azure 監視器」功能表中選取 [記錄] ,即可開啟它。Open it by selecting Logs in the Azure Monitor menu. 它會從新的空白查詢來開始。It starts with a new blank query.


防火牆需求Firewall requirements

若要使用 Log Analytics,您的瀏覽器會需要下列位址存取。To use Log Analytics, your browser requires access to the following addresses. 如果您的瀏覽器要透過防火牆存取 Azure 入口網站,則必須啟用這些位址的存取。If your browser is accessing the Azure portal through a firewall, you must enable access to these addresses.

UriUri IPIP 連接埠Ports
portal.loganalytics.ioportal.loganalytics.io 動態Dynamic 80,44380,443
api.loganalytics.ioapi.loganalytics.io 動態Dynamic 80,44380,443
docs.loganalytics.iodocs.loganalytics.io 動態Dynamic 80,44380,443

基本查詢Basic queries

查詢可用來搜尋字詞、識別趨勢、分析模式,以及提供許多其他以資料為基礎的深入解析。Queries can be used to search terms, identify trends, analyze patterns, and provide many other insights based on your data. 請從基本查詢來開始:Start with a basic query:

Event | search "error"

此查詢會搜尋_事件_資料表的記錄,包含該詞彙_錯誤_中任何屬性。This query searches the Event table for records that contain the term error in any property.

查詢可以透過資料表名稱或 search 命令來開始。Queries can start with either a table name or a search command. 上述範例中的資料表名稱開頭_事件_,表示事件資料表中擷取所有記錄。The above example starts with the table name Event, which retrieves all records from the Event table. 縱線 (|) 字元區隔命令,,因此第一個輸出可做為輸入的下列命令。The pipe (|) character separates commands, so the output of the first one serves as the input of the following command. 您可以在單一查詢中新增任意數目的命令。You can add any number of commands to a single query.

另一種撰寫該相同查詢的方式會是:Another way to write that same query would be:

search in (Event) "error"

在此範例中,搜尋範圍_事件_資料表,以及該資料表中的所有記錄搜尋的字詞_錯誤_。In this example, search is scoped to the Event table, and all records in that table are searched for the term error.

執行查詢Running a query

按一下 [執行] 按鈕或按 Shift+Enter,即可執行查詢。Run a query by clicking the Run button or pressing Shift+Enter. 請考慮下列詳細資料,以決定要執行的程式碼和傳回的資料:Consider the following details which determine the code that will be run and the data that's returned:

  • 分行符號:單一的中斷會讓查詢更容易閱讀。Line breaks: A single break makes your query easier to read. 多個分行符號可將查詢分割為不同的查詢。Multiple line breaks split it into separate queries.
  • 游標:將游標放在查詢內的某個地方即可執行查詢。Cursor: Place your cursor somewhere inside the query to execute it. 系統會將目前的查詢視為程式碼,直到其發現空白行。The current query is considered to be the code up until a blank line is found.
  • 時間範圍:預設會設定「過去 24 小時」 的時間範圍。Time range - A time range of last 24 hours is set by default. 若要使用不同範圍,請使用時間選擇器,或在查詢中新增明確的時間範圍篩選條件。To use a different range, use the time-picker or add an explicit time range filter to your query.

了解結構描述Understand the schema

結構描述會將以視覺化方式分組在邏輯類別之下的資料表集合起來。The schema is a collection of tables visually grouped under a logical category. 有幾個類別來自監視解決方案。Several of the categories are from monitoring solutions. _LogManagement_類別目錄包含一般的資料,例如 Windows 和 Syslog 事件、 效能資料,以及代理程式活動訊號。The LogManagement category contains common data such as Windows and Syslog events, performance data, and agent heartbeats.


在每個資料表中,資料會組織到不同資料類型 (如資料行名稱旁的圖示所示) 的資料行中。In each table, data is organized in columns with different data types as indicated by icons next to the column name. 例如,螢幕擷取畫面中所示的「Event」 資料表就包含了「Computer」 資料行 (這是文字)、「EventCategory」 資料行 (這是數字),和「TimeGenerated」 資料行 (這是日期/時間)。For example, the Event table shown in the screenshot contains columns such as Computer which is text, EventCategory which is a number, and TimeGenerated which is date/time.

篩選結果Filter the results

一開始請先取得「Event」 資料表中的所有項目。Start by getting everything in the Event table.


Log Analytics 會自動範圍結果:Log Analytics automatically scopes results by:

  • 時間範圍:根據預設,系統會將查詢限制在過去 24 小時。Time range: By default, queries are limited to the last 24 hours.
  • 結果數:結果數上限為 10,000 筆記錄。Number of results: Results are limited to maximum of 10,000 records.

這是一般查詢,會傳回太多結果,所以並不實用。This query is very general, and it returns too many results to be useful. 您可以透過資料表元素來篩選結果,也可以明確地對查詢新增篩選來篩選結果。You can filter the results either through the table elements, or by explicitly adding a filter to the query. 透過資料表元素來篩選結果適用於現有結果集,而針對查詢本身的篩選則會傳回新的篩選結果集,並可能因此產生更精確的結果。Filtering results through the table elements applies to the existing result set, while a filter to the query itself will return a new filtered result set and could therefore produce more accurate results.

對查詢新增篩選Add a filter to the query

每筆記錄的左邊會有一個箭號。There is an arrow to the left of each record. 按一下此箭號就能開啟特定記錄的詳細資料。Click this arrow to open the details for a specific record.

將游標停在某個資料行名稱上即可顯示 "+" 和 "-" 圖示。Hover above a column name for the "+" and "-" icons to display. 若要新增篩選,只傳回具有相同值的記錄,請按一下 "+" 符號。To add a filter that will return only records with the same value, click the "+" sign. 按一下 "-" 則可排除具有此值的記錄,然後按一下 [執行] 以再次執行查詢。Click "-" to exclude records with this value and then click Run to run the query again.


對各個資料表元素進行篩選Filter through the table elements

現在,讓我們將注意力放在嚴重性為「錯誤」 的事件上。Now let's focus on events with a severity of Error. 名為「EventLevelName」 的資料行會指出嚴重性。This is specified in a column named EventLevelName. 您必須捲動到右邊才能看到此資料行。You'll need to scroll to the right to see this column.

按一下資料行標題旁的 [篩選] 圖示,然後在快顯視窗中選取「開頭為」 「錯誤」 文字的值:Click the Filter icon next to the column title, and in the pop-up window select values that Starts with the text error:


排序和群組結果Sort and group results

結果現在會縮小為只包含過去 24 小時內所建立、來自 SQL Server 的錯誤事件。The results are now narrowed down to include only error events from SQL Server, created in the last 24 hours. 不過,結果並未進行任何排序。However, the results are not sorted in any way. 若要依特定資料行來排序結果 (舉例來說,「時間戳記」 ),請按一下資料行標題。To sort the results by a specific column, such as timestamp for example, click the column title. 按一下會依遞增順序排序,按第二下則會依遞減順序排序。One click sorts in ascending order while a second click will sort in descending.


群組是另一種組織結果的方式。Another way to organize results is by groups. 若要依特定資料行來群組結果,只要將資料行標頭拖曳到其他資料行上方即可。To group results by a specific column, simply drag the column header above the other columns. 若要建立子群組,也請將其他資料行拖曳到上方列。To create subgroups, drag other columns the upper bar as well.


選取要顯示的資料行Select columns to display

結果資料表通常包含許多資料行。The results table often includes a lot of columns. 您可能會發現某些傳回的資料行依預設並不會顯示出來,或者,您可能想要移除某些顯示出來的資料行。You might find that some of the returned columns are not displayed by default, or you may want to remove some the columns that are displayed. 若要選取要顯示的資料行,請按一下 [資料行] 按鈕:To select the columns to show, click the Columns button:

Select columns

選取時間範圍Select a time range

根據預設,Log Analytics 會套用_過去 24 小時_時間範圍。By default, Log Analytics applies the last 24 hours time range. 若要使用不同範圍,請透過時間選擇器來選取另一個值,然後按一下 [執行] 。To use a different range, select another value through the time picker and click Run. 除了預設值外,您也可以使用 [自訂時間範圍] 選項,來選取查詢的絕對範圍。In addition to the preset values, you can use the Custom time range option to select an absolute range for your query.


在選取自訂時間範圍時,所選取的值會採用 UTC 格式,這可能會與您當地的時區不同。When selecting a custom time range, the selected values are in UTC, which could be different than your local time zone.

如果查詢明確包含「TimeGenerated」 的篩選,則時間選擇器標題會顯示 [在查詢中設定] 。If the query explicitly contains a filter for TimeGenerated, the time picker title will show Set in query. 系統會停用手動選取以免發生衝突。Manual selection will be disabled to prevent a conflict.


除了在資料表中傳回結果外,查詢結果還可以透過視覺化格式來呈現。In addition to returning results in a table, query results can be presented in visual formats. 請使用下列查詢作為範例:Use the following query as an example:

| where EventLevelName == "Error" 
| where TimeGenerated > ago(1d) 
| summarize count() by Source 

根據預設,結果會顯示在資料表中。By default, results are displayed in a table. 按一下 [圖表] 以透過圖形檢視查看結果:Click Chart to see the results in a graphic view:


結果會顯示在堆疊長條圖中。The results are shown in a stacked bar chart. 按一下 [堆疊直條圖] ,然後選取 [圓形圖] 來顯示結果的另一種檢視:Click Stacked Column and select Pie to show another view of the results:


您可以從控制列手動變更檢視的不同屬性,例如 x 和 y 軸,或分組及分割喜好設定。Different properties of the view, such as x and y axes, or grouping and splitting preferences, can be changed manually from the control bar.

您也可以使用 render 運算子對查詢本身設定慣用檢視。You can also set the preferred view in the query itself, using the render operator.

智慧型診斷Smart diagnostics

在時間圖表上,如果您的資料突然激增或升級,您可能會在線上看到反白顯示的點。On a timechart, if there is a sudden spike or step in your data, you may see a highlighted point on the line. 這表示「智慧型診斷」 已識別出可將突然變更篩選掉的屬性組合。This indicates that Smart Diagnostics has identified a combination of properties that filter out the sudden change. 按一下點可取得篩選條件的詳細資料,以及查看篩選的版本。Click the point to get more detail on the filter, and to see the filtered version. 這可能有助於您找出造成變更的原因:This may help you identify what caused the change:


釘選到儀表板Pin to dashboard

若要將圖表或資料表釘選至其中一個共用的 Azure 儀表板,請按一下 [釘選] 圖示。To pin a diagram or table to one of your shared Azure dashboards, click the pin icon.


當您將圖表釘選到儀表板時,圖表會套用某些簡化效果:Certain simplifications are applied to a chart when you pin it to a dashboard:

  • 資料表的資料行和資料列:若要將資料表釘選到儀表板,它必須具有四個以下的資料行。Table columns and rows: In order to pin a table to the dashboard, it must have four or fewer columns. 只會顯示前七個資料列。Only the top seven rows are displayed.
  • 時間限制:查詢會自動限制為過去 14 天。Time restriction: Queries are automatically limited to the past 14 days.
  • 量化計數限制:如果您顯示的是有許多不連續量化的圖表,所佔比例較少的量化會自動分組到單一的「其他」 量化。Bin count restriction: If you display a chart that has a lot of discrete bins, less populated bins are automatically grouped into a single others bin.

儲存查詢Save queries

建立了實用查詢後,您可以儲存起來,也可以與他人共用。Once you've created a useful query, you might want to save it or share with others. [儲存] 圖示位於頂端列。The Save icon is on the top bar.

您可以儲存整個查詢頁面,也可以將單一查詢儲存為函式。You can save either the entire query page, or a single query as a function. 函式形式的查詢也可以供其他查詢參考。Functions are queries that can also be referenced by other queries. 若要將查詢儲存為函式,您必須提供函式別名,此名稱可用來在其他查詢參考此查詢時,對其進行呼叫。In order to save a query as a function, you must provide a function alias, which is the name used to call this query when referenced by other queries.


Log Analytics 查詢一律會儲存至選取的工作區中,並與該工作區的其他使用者共用。Log Analytics queries are always saved to a selected workspace, and shared with other users of that workspace.

載入查詢Load queries

[查詢總管] 圖示位於右上方區域中。The Query Explorer icon is at the top-right area. 這會依類別來列出所有已儲存的查詢。This lists all saved queries by category. 它也可讓您將特定查詢標示為我的最愛,以供日後快速找到。It also enables you to mark specific queries as Favorites to quickly find them in the future. 對已儲存的查詢按兩下,即可將它新增至目前的視窗。Double-click a saved query to add it to the current window.


Log Analytics 支援數種匯出方法:Log Analytics supports several exporting methods:

  • Excel:將結果儲存為 CSV 檔案。Excel: Save the results as a CSV file.
  • Power BI:將結果匯出至 Power BI。Power BI: Export the results to Power BI. 如需詳細資料,請參閱將 Azure 監視器記錄資料匯入至 Power BISee Import Azure Monitor log data into Power BI for details.
  • 共用連結:查詢本身可以透過連結形式來共用,可存取相同工作區的其他使用者便可傳送並執行該連結。Share a link: The query itself can be shared as a link which can then be sent and executed by other users that have access to the same workspace.

後續步驟Next steps