Sampel templat Azure Resource Manager untuk kueri log di Azure Monitor

Artikel ini menyertakan contoh templat Azure Resource Manager untuk membuat dan mengonfigurasi kueri log di Azure Monitor. Setiap sampel menyertakan file templat dan file parameter dengan sampel nilai yang akan disediakan untuk templat.

Catatan

Lihat contoh Azure Resource Manager untuk Azure Monitor berupa daftar contoh yang tersedia dan panduan tentang mengimplementasikannya di langganan Azure milik Anda.

Referensi templat

• Microsoft.OperationalInsights workspaces/savedSearches

Kueri log sederhana

Sampel berikut menambahkan kueri log ke ruang kerja Analitik Log.

File templat

Bisep

@description('The name of the workspace.')
param workspaceName string

@description('The location of the resources.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'VMSS query'
  properties: {
    etag: '*'
    displayName: 'VMSS Instance Count'
    category: 'VMSS'
    query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
    version: 1
  }
}

JSON

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string",
      "metadata": {
        "description": "The name of the workspace."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The location of the resources."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2021-12-01-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]"
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'VMSS query')]",
      "properties": {
        "etag": "*",
        "displayName": "VMSS Instance Count",
        "category": "VMSS",
        "query": "Event | where Source == \"ServiceFabricNodeBootstrapAgent\" | summarize AggregatedValue = count() by Computer",
        "version": 1
      },
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
      ]
    }
  ]
}

File parameter

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Kueri log sebagai fungsi

Sampel berikut menambahkan kueri log sebagai fungsi ke ruang kerja Log Analytics.

File templat

Bisep

@description('The name of the workspace.')
param workspaceName string

@description('The location of the resources.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'VMSS query'
  properties: {
    etag: '*'
    displayName: 'VMSS Instance Count'
    category: 'VMSS'
    query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
    version: 1
  }
}

JSON

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
      "workspaceName": {
          "type": "string"
      },
      "location": {
        "type": "string"
      }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2017-03-15-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]",
      "resources": [
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
          "name": "Cross workspace query",
            "dependsOn": [
              "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
            ],
            "properties": {
              "etag": "*",
              "displayName": "Failed Logon Events",
              "category": "Security",
              "FunctionAlias": "failedlogonsecurityevents",
              "query": "
                union withsource=SourceWorkspace
                workspace('workspace1').SecurityEvent,
                workspace('workspace2').SecurityEvent,
                workspace('workspace3').SecurityEvent,
                | where EventID == 4625",
              "version": 1
          }
        }
      ]
    }
  ]
}

File parameter

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Fungsi berparameter

Sampel berikut menambahkan kueri log sebagai fungsi yang menggunakan parameter ke ruang kerja Analitik Log. Kueri log kedua yang menggunakan fungsi parameter disertakan.

Catatan

Template sumber daya saat ini adalah satu-satunya metode yang dapat digunakan untuk mendefinisikan fungsi yang diparameterisasi. Setiap kueri log dapat menggunakan fungsi setelah diinstal di ruang kerja.

File templat

Bisep

param workspaceName string
param location string

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource parameterizedFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'Parameterized function'
  properties: {
    etag: '*'
    displayName: 'Unavailable computers function'
    category: 'Samples'
    functionAlias: 'UnavailableComputers'
    functionParameters: 'argSpan: timespan'
    query: ' Heartbeat | summarize LastHeartbeat=max(TimeGenerated) by Computer| where LastHeartbeat < ago(argSpan)'
  }
}

resource queryUsingFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'Query using function'
  properties: {
    etag: '*'
    displayName: 'Unavailable computers'
    category: 'Samples'
    query: 'UnavailableComputers(7days)'
  }
}

JSON

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string"
    },
    "location": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2021-12-01-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]"
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'Parameterized function')]",
      "properties": {
        "etag": "*",
        "displayName": "Unavailable computers function",
        "category": "Samples",
        "functionAlias": "UnavailableComputers",
        "functionParameters": "argSpan: timespan",
        "query": " Heartbeat | summarize LastHeartbeat=max(TimeGenerated) by Computer| where LastHeartbeat < ago(argSpan)"
      },
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
      ]
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'Query using function')]",
      "properties": {
        "etag": "*",
        "displayName": "Unavailable computers",
        "category": "Samples",
        "query": "UnavailableComputers(7days)"
      },
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
      ]
    }
  ]
}

File parameter

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Langkah berikutnya

• Dapatkan sampel template lainnya untuk Azure Monitor.
• Pelajari selengkapnya tentang kueri log.
• Pelajari selengkapnya tentang fungsi.