Compartir a través de

Consultas para la tabla ATCExpressRouteCircuitIpfix

Para obtener información sobre cómo utilizar estas consultas en el portal de Azure, consulte el tutorial de Log Analytics. Para obtener la API REST, consulte Consulta.

Obtener a los principales ponentes

Enumera los 10 principales oradores durante un período de tiempo definido.

let startTime = ago(2h);
let endTime = ago(1h);
let num_toptalkers = 10; // Amount of top talker 5Tuples. Change this value to display a different number of items
let tuple = "5";  
let ipfixData = ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 3tuple = strcat("SrcIP:", SourceIp, " DestIP:", DestinationIp, " Protocol:", Protocol),
    5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
    TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096 // Calculation to determine amount of circuit bandwidth used. This adds the number of payload bytes to the number of header bytes, then multiplies by 4096, the sampling rate used by ERTC
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, 3tuple, Flowsequence
| extend tuple = iff(tuple == "3", 3tuple, 5tuple);
let topTalkersBy3Tuple = ipfixData
| summarize sum(TotalBytes) by tuple
| order by sum_TotalBytes desc
| take num_toptalkers; // 10 top talkers
topTalkersBy3Tuple
| join kind=inner (
    ipfixData  
    | summarize sum(TotalBytes) by bin(FlowRecordTime, 5m), tuple
) on $left.tuple == $right.tuple
| extend TotalBytes = sum_TotalBytes1
| project-away sum_TotalBytes, sum_TotalBytes1, tuple1
| render columnchart with(kind=unstacked)

Obtener los principales Talkers por puerto de origen y destino

Enumera los 10 principales Talkers en función del puerto de origen y destino durante un período de tiempo definido.

let startTime = ago(2h);
let endTime = ago(1h);
let num_toptalkers = 10;
let portType = "Source"; // Change to "Dest" for destination port based query
let data = ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
    TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096 // Calculation to determine amount of circuit bandwidth used. This adds the number of payload bytes to the number of header bytes, then multiplies by 4096, the sampling rate used by ERTC 
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, SourcePort, DestinationPort, Flowsequence
| extend port = iff(portType == "Source", SourcePort, DestinationPort);
let topTalkers = data
| summarize sum(TotalBytes) by port // Find top talkers port
| order by sum_TotalBytes desc
| take num_toptalkers; // 10 top talkers
topTalkers
| join kind=inner (
    data
    | summarize sum(TotalBytes) by bin(FlowRecordTime, 5m), port
) on $left.port == $right.port
| extend TotalBytes = sum_TotalBytes1, Port = strcat("Port:", port1)
| project-away sum_TotalBytes, sum_TotalBytes1, port, port1 
| render columnchart with(kind=unstacked)

Obtener el uso total del ancho de banda

Obtenga un informe del ancho de banda total utilizado durante un intervalo de tiempo especificado.

let startTime = ago(2h); 
let endTime = ago(1h);
ATCExpressRouteCircuitIpfix 
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime 
| extend 5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol), 
    TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096  
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, Flowsequence 
| summarize sum(TotalBytes) by bin(FlowRecordTime, 1m) 
| extend TotalGB = toint(sum_TotalBytes / 1024 / 1024 / 1024) // Converting bytes to gigabytes 
| project-away sum_TotalBytes 
| render columnchart