Azure 監視器 Log Analytics 中的記錄查詢範圍和時間範圍Log query scope and time range in Azure Monitor Log Analytics

當您在Azure 入口網站的 Log Analytics中執行記錄查詢時, 查詢所評估的資料集取決於您選取的範圍和時間範圍。When you run a log query in Log Analytics in the Azure portal, the set of data evaluated by the query depends on the scope and the time range that you select. 本文說明範圍和時間範圍, 以及如何根據您的需求進行設定。This article describes the scope and time range and how you can set each depending on your requirements. 它也會描述不同類型範圍的行為。It also describes the behavior of different types of scopes.

查詢範圍Query scope

查詢範圍會定義查詢所評估的記錄。The query scope defines the records that are evaluated by the query. 這通常會將所有記錄包含在單一 Log Analytics 工作區或 Application Insights 應用程式中。This will usually include all records in a single Log Analytics workspace or Application Insights application. Log Analytics 也可讓您設定特定受監視 Azure 資源的範圍。Log Analytics also allows you to set a scope for a particular monitored Azure resource. 這可讓資源擁有者僅專注于其資料, 即使該資源寫入至多個工作區也一樣。This allows a resource owner to focus only on their data, even if that resource writes to multiple workspaces.

範圍一律會顯示在 [Log Analytics] 視窗的左上角。The scope is always displayed at the top left of the Log Analytics window. 圖示會指出範圍是 Log Analytics 工作區還是 Application Insights 應用程式。An icon indicates whether the scope is a Log Analytics workspace or an Application Insights application. 沒有圖示表示另一個 Azure 資源。No icon indicates another Azure resource.

Scope

範圍取決於您用來啟動 Log Analytics 的方法, 在某些情況下, 您可以按一下來變更範圍。The scope is determined by the method you use to start Log Analytics, and in some cases you can change the scope by clicking on it. 下表列出所使用的不同範圍類型, 以及每個類別的不同詳細資料。The following table lists the different types of scope used and different details for each.

查詢範圍Query scope 範圍中的記錄Records in scope 如何選取How to select 變更範圍Changing Scope
Log Analytics 工作區Log Analytics workspace Log Analytics 工作區中的所有記錄。All records in the Log Analytics workspace. 從 [ Azure 監視器] 功能表或 [ Log Analytics 工作區] 功能表中選取 [記錄]。Select Logs from the Azure Monitor menu or the Log Analytics workspaces menu. 可以將範圍變更為任何其他資源類型。Can change scope to any other resource type.
Application Insights 應用程式Application Insights application Application Insights 應用程式中的所有記錄。All records in the Application Insights application. 從 Application Insights 的 [總覽] 頁面選取 [分析]。Select Analytics from Overview page of Application Insights. 只能將範圍變更為另一個 Application Insights 應用程式。Can only change scope to another Application Insights application.
資源群組Resource group 資源群組中所有資源所建立的記錄。Records created by all resources in the resource group. 可能包含來自多個 Log Analytics 工作區的資料。May include data from multiple Log Analytics workspaces. 從 [資源群組] 功能表中選取 [記錄]。Select Logs from the resource group menu. 無法變更範圍。Cannot change scope.
訂閱Subscription 訂用帳戶中的所有資源所建立的記錄。Records created by all resources in the subscription. 可能包含來自多個 Log Analytics 工作區的資料。May include data from multiple Log Analytics workspaces. 從 [訂用帳戶] 功能表中選取 [記錄]。Select Logs from the subscription menu. 無法變更範圍。Cannot change scope.
其他 Azure 資源Other Azure resources 資源所建立的記錄。Records created by the resource. 可能包含來自多個 Log Analytics 工作區的資料。May include data from multiple Log Analytics workspaces. 從 [資源] 功能表中選取 [記錄]。Select Logs from the resource menu.
OROR
從 [ Azure 監視器] 功能表中選取 [記錄], 然後選取新的範圍。Select Logs from the Azure Monitor menu and then select a new scope.
只能將範圍變更為相同的資源類型。Can only change scope to same resource type.

範圍限定于資源的限制Limitations when scoped to a resource

當查詢範圍是 Log Analytics 工作區或 Application Insights 應用程式時, 入口網站和所有查詢命令中的所有選項都可以使用。When the query scope is a Log Analytics workspace or an Application Insights application, all options in the portal and all query commands are available. 雖然範圍設定為資源, 但入口網站中的下列選項無法使用, 因為它們與單一工作區或應用程式相關聯:When scoped to a resource though, the following options in the portal not available because they're associated with a single workspace or application:

  • 儲存Save
  • 查詢總管Query explorer
  • 新增警示規則New alert rule

當範圍設定為資源時, 您無法在查詢中使用下列命令, 因為查詢範圍已經包含具有該資源或資源集之資料的任何工作區:You can't use the following commands in a query when scoped to a resource since the query scope will already include any workspaces with data for that resource or set of resources:

查詢限制Query limits

您可能有 Azure 資源的商務需求, 可將資料寫入多個 Log Analytics 工作區。You may have business requirements for an Azure resource to write data to multiple Log Analytics workspaces. 工作區不需要位於與資源相同的區域中, 且單一工作區可能會從各種區域的資源收集資料。The workspace doesn't need to be in the same region as the resource, and a single workspace might gather data from resources in a variety of regions.

將範圍設定為資源或資源集是 Log Analytics 中特別強大的功能, 因為它可讓您在單一查詢中自動合併分散式資料。Setting the scope to a resource or set of resources is a particularly powerful feature of Log Analytics since it allows you to automatically consolidate distributed data in a single query. 不過, 如果需要從多個 Azure 區域的工作區中抓取資料, 它可能會大幅影響效能。It can significantly affect performance though if data needs to be retrieved from workspaces across multiple Azure regions.

Log Analytics 會在使用特定數目的區域時發出警告或錯誤, 協助防止跨多個區域中的工作區的查詢過度負荷。Log Analytics helps protect against excessive overhead from queries that span workspaces in multiple regions by issuing a warning or error when a certain number of regions are being used. 如果範圍包含5個或更多區域中的工作區, 您的查詢將會收到警告。Your query will receive a warning if the scope includes workspaces in 5 or more regions. 它仍然會執行, 但可能需要太多時間才能完成。it will still run, but it may take excessive time to complete.

查詢警告

如果範圍包含20個或更多區域中的工作區, 您的查詢將會遭到封鎖而無法執行。Your query will be blocked from running if the scope includes workspaces in 20 or more regions. 在此情況下, 系統會提示您減少工作區區域的數目, 並嘗試再次執行查詢。In this case you will be prompted to reduce the number of workspace regions and attempt to run the query again. 下拉式清單會顯示查詢範圍中的所有區域, 您應該先減少區域數目, 再嘗試再次執行查詢。The dropdown will display all of the regions in the scope of the query, and you should reduce the number of regions before attempting to run the query again.

查詢失敗

時間範圍Time range

時間範圍會根據建立記錄時, 指定針對查詢評估的一組記錄。The time range specifies the set of records that are evaluated for the query based on when the record was created. 這是由工作區或應用程式中每一筆記錄的標準屬性所定義, 如下表所指定。This is defined by a standard property on every record in the workspace or application as specified in the following table.

LocationLocation 屬性Property
Log Analytics 工作區Log Analytics workspace TimeGeneratedTimeGenerated
Application Insights 應用程式Application Insights application timestamptimestamp

從 [Log Analytics] 視窗頂端的 [時間選擇器] 中選取時間範圍, 即可加以設定。Set the time range by selecting it from the time picker at the top of the Log Analytics window. 您可以選取預先定義的期間, 或選取 [自訂] 來指定特定的時間範圍。You can select a predefined period or select Custom to specify a specific time range.

時間選擇器

如果您在使用 [標準時間] 屬性的查詢中設定篩選 (如上表所示), 時間選擇器會變更為 [在查詢中設定], 而 [時間選擇器] 則會停用。If you set a filter in the query that uses the standard time property as shown in the table above, the time picker changes to Set in query, and the time picker is disabled. 在此情況下, 將篩選準則放在查詢頂端最有效率, 如此一來, 任何後續的處理都只需要使用篩選過的記錄。In this case, it's most efficient to put the filter at the top of the query so that any subsequent processing only needs to work with the filtered records.

篩選的查詢

如果您使用 [工作區] 或 [應用程式] 命令從另一個工作區或應用程式抓取資料, 時間選擇器的行為可能會不同。If you use the workspace or app command to retrieve data from another workspace or application, the time picker may behave differently. 如果範圍是 Log Analytics 工作區, 而且您使用應用程式, 或如果範圍是 Application Insights 的應用程式, 而且您使用工作區, 則 Log Analytics 可能無法瞭解篩選器中使用的屬性應該決定時間篩選準則。If the scope is a Log Analytics workspace and you use app, or if the scope is an Application Insights application and you use workspace, then Log Analytics may not understand that the property used in the filter should determine the time filter.

在下列範例中, 範圍會設定為 Log Analytics 工作區。In the following example, the scope is set to a Log Analytics workspace. 查詢會使用工作區來抓取另一個 Log Analytics 工作區中的資料。The query uses workspace to retrieve data from another Log Analytics workspace. 時間選擇器會變更為 [在查詢中設定], 因為它會看到使用預期TimeGenerated屬性的篩選準則。The time picker changes to Set in query because it sees a filter that uses the expected TimeGenerated property.

使用工作區查詢

如果查詢使用應用程式從 Application Insights 應用程式抓取資料, 則 Log Analytics 無法辨識篩選中的時間戳記屬性, 而時間選擇器會保持不變。If the query uses app to retrieve data from an Application Insights application though, Log Analytics doesn't recognize the timestamp property in the filter, and the time picker remains unchanged. 在此情況下, 會套用這兩個篩選準則。In this case, both filters are applied. 在此範例中, 查詢中只會包含過去24小時內建立的記錄, 即使在where子句中指定了7天。In the example, only records created in the last 24 hours are included in the query even though it specifies 7 days in the where clause.

使用應用程式查詢

後續步驟Next steps