Sampel templat Azure Resource Manager untuk kueri log di Azure Monitor

Artikel ini menyertakan contoh templat Azure Resource Manager untuk membuat dan mengonfigurasi kueri log di Azure Monitor. Setiap sampel menyertakan file templat dan file parameter dengan nilai sampel yang akan disediakan ke templat.

Catatan

Lihat Sampel Azure Resource Manager untuk Azure Monitor untuk daftar sampel yang tersedia dan panduan tentang menyebarkannya di langganan Azure Anda.

Referensi templat

• Microsoft.OperationalInsights workspaces/savedSearches

Kueri log sederhana

Sampel berikut menambahkan kueri log ke ruang kerja Analitik Log.

File templat

Bicep

@description('The name of the workspace.')
param workspaceName string

@description('The location of the resources.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'VMSS query'
  properties: {
    etag: '*'
    displayName: 'VMSS Instance Count'
    category: 'VMSS'
    query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
    version: 1
  }
}

JSON

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string",
      "metadata": {
        "description": "The name of the workspace."
      }
    },
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]",
      "metadata": {
        "description": "The location of the resources."
      }
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2021-12-01-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]"
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'VMSS query')]",
      "properties": {
        "etag": "*",
        "displayName": "VMSS Instance Count",
        "category": "VMSS",
        "query": "Event | where Source == \"ServiceFabricNodeBootstrapAgent\" | summarize AggregatedValue = count() by Computer",
        "version": 1
      },
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
      ]
    }
  ]
}

File parameter

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Kueri log sebagai fungsi

Sampel berikut menambahkan kueri log ke ruang kerja Analitik Log.

File templat

Bicep

@description('The name of the workspace.')
param workspaceName string

@description('The location of the resources.')
param location string = resourceGroup().location

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource savedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'VMSS query'
  properties: {
    etag: '*'
    displayName: 'VMSS Instance Count'
    category: 'VMSS'
    query: 'Event | where Source == "ServiceFabricNodeBootstrapAgent" | summarize AggregatedValue = count() by Computer'
    version: 1
  }
}

JSON

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
      "workspaceName": {
          "type": "string"
      },
      "location": {
        "type": "string"
      }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2017-03-15-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]",
      "resources": [
        {
          "type": "savedSearches",
          "apiVersion": "2020-08-01",
          "name": "Cross workspace query",
            "dependsOn": [
              "[concat('Microsoft.OperationalInsights/workspaces/', parameters('workspaceName'))]"
            ],
            "properties": {
              "etag": "*",
              "displayName": "Failed Logon Events",
              "category": "Security",
              "FunctionAlias": "failedlogonsecurityevents",
              "query": "
                union withsource=SourceWorkspace
                workspace('workspace1').SecurityEvent,
                workspace('workspace2').SecurityEvent,
                workspace('workspace3').SecurityEvent,
                | where EventID == 4625",
              "version": 1
          }
        }
      ]
    }
  ]
}

File parameter

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Fungsi dengan parameter

Sampel berikut menambahkan kueri log sebagai fungsi yang menggunakan parameter ke ruang kerja Analitik Log. Kueri log kedua yang menggunakan fungsi parameter disertakan.

Catatan

Template sumber daya saat ini adalah satu-satunya metode yang dapat digunakan untuk fungsi parameter. Setiap kueri log dapat menggunakan fungsi setelah diinstal di ruang kerja.

File templat

Bicep

param workspaceName string
param location string

resource workspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = {
  name: workspaceName
  location: location
}

resource parameterizedFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'Parameterized function'
  properties: {
    etag: '*'
    displayName: 'Unavailable computers function'
    category: 'Samples'
    functionAlias: 'UnavailableComputers'
    functionParameters: 'argSpan: timespan'
    query: ' Heartbeat | summarize LastHeartbeat=max(TimeGenerated) by Computer| where LastHeartbeat < ago(argSpan)'
  }
}

resource queryUsingFunctionSavedSearch 'Microsoft.OperationalInsights/workspaces/savedSearches@2020-08-01' = {
  parent: workspace
  name: 'Query using function'
  properties: {
    etag: '*'
    displayName: 'Unavailable computers'
    category: 'Samples'
    query: 'UnavailableComputers(7days)'
  }
}

JSON

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "type": "string"
    },
    "location": {
      "type": "string"
    }
  },
  "resources": [
    {
      "type": "Microsoft.OperationalInsights/workspaces",
      "apiVersion": "2021-12-01-preview",
      "name": "[parameters('workspaceName')]",
      "location": "[parameters('location')]"
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'Parameterized function')]",
      "properties": {
        "etag": "*",
        "displayName": "Unavailable computers function",
        "category": "Samples",
        "functionAlias": "UnavailableComputers",
        "functionParameters": "argSpan: timespan",
        "query": " Heartbeat | summarize LastHeartbeat=max(TimeGenerated) by Computer| where LastHeartbeat < ago(argSpan)"
      },
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
      ]
    },
    {
      "type": "Microsoft.OperationalInsights/workspaces/savedSearches",
      "apiVersion": "2020-08-01",
      "name": "[format('{0}/{1}', parameters('workspaceName'), 'Query using function')]",
      "properties": {
        "etag": "*",
        "displayName": "Unavailable computers",
        "category": "Samples",
        "query": "UnavailableComputers(7days)"
      },
      "dependsOn": [
        "[resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspaceName'))]"
      ]
    }
  ]
}

File parameter

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspaceName": {
      "value": "MyWorkspace"
    },
    "location": {
      "value": "eastus"
    }
  }
}

Langkah berikutnya

• Dapatkan sampel template lainnya untuk Azure Monitor.
• Pelajari selengkapnya tentang kueri log.
• Pelajari selengkapnya tentang fungsi.