事件數據表的查詢
記憶體使用量百分比
針對您的叢集檢視平均節點記憶體使用量百分比。
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
//Unit for MemoryUsage is in percentage(%),TotalMemory, and UsedMemory are in bytes
//Please use Nodename to set alert for each node
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3000"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend servers_information = parse_json(RenderedDescription).m_servers
| mv-expand servers_information
| extend Nodename = tostring(servers_information.m_name)
| extend TotalMemory = todecimal(servers_information.m_totalPhysicalMemoryInBytes)
| extend UsedMemory = iff(TotalMemory == 0.0, todecimal(0.0), todecimal(servers_information.m_usedPhysicalMemoryInBytes))
| extend MemoryUsage = iff(TotalMemory == 0.0, todecimal(0.0), todecimal(round(UsedMemory / TotalMemory * 100, 0)))
平均節點 CPU 使用量百分比
針對您的叢集檢視平均節點CPU使用量百分比。
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
//Unit for UsedCpuPercentage is in percentage(%)
//Please use Nodename to set alert for each node
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3000"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend servers_information = parse_json(RenderedDescription).m_servers
| mv-expand servers_information
| extend Nodename = tostring(servers_information.m_name)
| extend UsedCpuPercentage = toint(servers_information.m_totalProcessorsUsedPercentage)
虛擬機失敗
針對您的叢集,檢視叢集中失敗的虛擬機。
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3003"
| extend ClusterName = tostring(parse_xml(EventData).DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(parse_xml(EventData).DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend description = parse_json(RenderedDescription)
| extend VmsFailed = toint(description.m_totalVmsFailed)
叢集中的虛擬機總數。
針對您的叢集,檢視叢集中的總計、執行中、已停止和失敗的虛擬機
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3003"
| extend ClusterName = tostring(parse_xml(EventData).DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(parse_xml(EventData).DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend description = parse_json(RenderedDescription)
| extend VmsStopped = toint(description.m_totalVmsStopped)
叢集中可用的磁碟區容量。
檢視叢集中磁碟區之位元組) 的可用容量 (
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3002"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend volumes_information = parse_json(RenderedDescription).VolumeList
| mv-expand volumes_information
| extend Volumes = tostring(volumes_information.m_Label)
| extend TotalCap = todecimal(volumes_information.m_Size)
| extend AvailableCap = TotalCap - todecimal(volumes_information.m_SizeUsed)
磁碟區延遲
此查詢會顯示磁碟區的延遲。
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3002"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend volumes_information = parse_json(RenderedDescription).VolumeList
| mv-expand volumes_information
| extend VolumeName = tostring(volumes_information.m_Label)
| extend Latency = todouble(volumes_information.m_AverageLatency)
| extend Latency = iff(Latency < 0, 0.0, Latency)
磁碟區 IOPS
此查詢會顯示叢集中磁碟區的每秒輸入輸出作業數。
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID to view IOPS of volumes in a cluster
//Unit for IOPS will be IOPS/s
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3002"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend volumes_information = parse_json(RenderedDescription).VolumeList
| mv-expand volumes_information
| extend VolumesName = tostring(volumes_information.m_Label)
| extend Iops = todouble(volumes_information.m_TotalIops)
| extend Iops = iff(Iops < 0, 0.0, Iops)
磁碟區輸送量
此查詢會顯示叢集中磁碟區的輸送量。
//Select your log analytics workspace and replace enter cluster ID with your cluster arm ID
//Unit for throughput is B/s
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3002"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
| where ClusterArmId =~ 'enter cluster ID'
| summarize arg_max(TimeGenerated, RenderedDescription)
| extend volumes_information = parse_json(RenderedDescription).VolumeList
| mv-expand volumes_information
| extend VolumeName = tostring(volumes_information.m_Label)
| extend Throughput = todouble(volumes_information.m_TotalThroughput)
| extend Throughput = iff(Throughput < 0, 0.0, Throughput)
叢集節點關閉
如果節點在叢集中關閉,請取得警示。
//Select your log analytics workspace and replace clusterarmId1 with your cluster arm ID
//Please split dimensions by clusterarmID and dimension name as faulting resource ID to set up alerts for each node within a cluster. Please check include all future values to get alerts for future dimension names.
Event
| where EventLog =~ "Microsoft-Windows-Health/Operational"
| extend description = parse_json(RenderedDescription)
| extend CorrelationId = tostring(description.CorrelationId)
| join kind=leftsemi (Event
| where EventLog =~ "Microsoft-Windows-Health/Operational"
| extend description = parse_json(RenderedDescription)
| extend ClusterArmId = tostring(description.ArmId)
//| where ClusterArmId in~ ('clusterarmId1', 'clusterarmId2', 'clusterarmId3')
| where tostring(description.IsLastMessage) =~ 'true'
| extend CorrelationId = tostring(description.CorrelationId)
| summarize arg_max(TimeGenerated, *) by ClusterArmId
| project CorrelationId)
on CorrelationId
| extend ClusterArmId = tostring(description.ArmId)
| where tostring(description.Fault.RootObjectType) == 'Microsoft.Health.EntityType.Cluster'
| extend Fault = description.Fault
| extend ShortDescription = split(tostring(Fault.Type), '.')[-1]
| extend Faulttype= Fault.Type
| where Faulttype == "Microsoft.Health.FaultType.Server.Down"
| extend Severity = toint(Fault.Severity)
| extend FaultingResourceType = split(tostring(Fault.ObjectType), '.')[-1]
| extend FaultingResourceId = tostring(Fault.ObjectId)
| extend ReportedTime = datetime_add('Microsecond', tolong(Fault.Timestamp) / 10, make_datetime(1601, 1, 1))
| extend Detail = pack(
"Severity", iff(Severity == 0, "Healthy", iff(Severity == 1, "Warning", iff(Severity == 2, "Critical", "Unknown"))),
"Faulting Resource ID", FaultingResourceId,
"Faulting Resource Type", FaultingResourceType,
"Faulttype", Faulttype,
"Reported Time", ReportedTime,
"Short Description", ShortDescription,
"Description", tostring(Fault.Description),
"clusterARMId", tostring(ClusterArmId),
"Remediation", tostring(Fault.Remediation))
| sort by ReportedTime asc
| limit 100
記憶體使用量百分比
針對您的叢集檢視平均節點記憶體使用量百分比。
//Select your log analytics workspace and replace clusterarmId1 with your cluster arm ID
//Unit for MemoryUsage is in percentage(%),TotalMemory, and UsedMemory are in bytes
Event
| where EventLog =~ "Microsoft-Windows-SDDC-Management/Operational" and EventID == "3000"
| extend ClusterData = parse_xml(EventData)
| extend ClusterName = tostring(ClusterData.DataItem.UserData.EventData["ClusterName"])
| extend ClusterArmId = tostring(ClusterData.DataItem.UserData.EventData["ArmId"])
//| where ClusterArmId in~ ('clusterarmId1', 'clusterarmId2', 'clusterarmId3')
| summarize arg_max(TimeGenerated, *) by ClusterArmId
| extend servers_information = parse_json(RenderedDescription).m_servers
| mv-expand servers_information
| extend Nodename = tostring(servers_information.m_name)
| extend TotalMemory = todecimal(servers_information.m_totalPhysicalMemoryInBytes)
| extend UsedMemory = iff(TotalMemory == 0.0, todecimal(0.0), todecimal(servers_information.m_usedPhysicalMemoryInBytes))
| extend MemoryUsage = iff(TotalMemory == 0.0, todecimal(0.0), todecimal(round(UsedMemory / TotalMemory * 100, 0)))
| extend MemoryUsageint = toint(MemoryUsage)
| where Nodename != ""
| limit 100
擷取延遲 (端對端) 時間圖 - 事件數據表
圖表過去 1 天內擷取至事件數據表的延遲。
Event
| where TimeGenerated > ago(1d)
| project TimeGenerated, IngestionDurationSeconds = (ingestion_time()-TimeGenerated)/1s
| render timechart title = "Ingestion latency: Event table"
顯示所選事件的趨勢
圖表上一天報告事件的次數。
// To create an alert for this query, click '+ New alert rule'
Event
| where EventID == 44 // this ID indicates Windows Update started downloading an update
| summarize count() by bin(TimeGenerated, 1h), Computer, _ResourceId // bin is used to set the time grain to 1 hour
| render barchart
計算機遺失安全性共同重大更新時發生錯誤事件
遺失重要或安全性必要更新之機器的錯誤事件。
// To create an alert for this query, click '+ New alert rule'
Event
| where EventLevelName == "error"
| join kind=inner (Update |where (Classification == "Security Updates" or Classification == "Critical Updates") and UpdateState == "Needed" and Optional == "false" | distinct Computer) on Computer
| sort by TimeGenerated desc
過去一小時內的所有事件
過去一小時內的所有事件。
Event
| where TimeGenerated > ago(1h)
| sort by TimeGenerated desc
事件已啟動
事件標識碼所啟動的事件。
Event
| where RenderedDescription contains "started"
| summarize count() by EventID
依事件來源的事件
依事件來源的事件。
Event
| summarize count() by Source
依事件標識碼的事件
依事件標識碼的前10個事件。
Event
| summarize count() by EventID
| top 10 by count_
警告事件
依時間排序的警告事件。
Event
| where EventLevelName == "warning"
| sort by TimeGenerated desc
警告事件的計數
依事件標識碼的警告事件計數。
Event
| where EventLevelName == "warning"
| summarize count() by EventID
OM 2000 到 3000 之間的事件
作業管理員事件,標識碼介於 2000 到 3000 的範圍內。
Event
| where EventLog == "Operations Manager" and (EventID >= 2000 and EventID <= 3000)
| sort by TimeGenerated desc
Windows Fireawall 原則設定
Windows Fireawall 原則設定已變更。
Event
| where EventLog == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and EventID == 2008
| sort by TimeGenerated desc
計算機變更的 Windows Fireawall 原則設定
計算機已變更 Windows Fireawall 原則設定。
Event
| where EventLog == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and EventID == 2008
| summarize count() by Computer
| limit 10000
意見反應
即將登場:在 2024 年,我們將逐步淘汰 GitHub 問題作為內容的意見反應機制,並將它取代為新的意見反應系統。 如需詳細資訊,請參閱:https://aka.ms/ContentUserFeedback。
提交並檢視相關的意見反應