AzureDiagnostics 數據表的查詢

發行項
02/23/2024

microsoft.automation 的查詢

自動化作業中的錯誤

尋找過去一天在自動化作業中報告錯誤的記錄。

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.AUTOMATION"  
| where StreamType_s == "Error" 
| project TimeGenerated, Category, JobId_g, OperationName, RunbookName_s, ResultDescription

尋找過去一天自動化作業中報告錯誤的記錄

列出自動化作業中的所有錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.AUTOMATION" 
| where StreamType_s == "Error" 
| project TimeGenerated, Category, JobId_g, OperationName, RunbookName_s, ResultDescription, _ResourceId

Azure 自動化失敗、暫停或停止的作業

列出所有失敗、已暫停或停止的自動化作業。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and (ResultType == "Failed" or ResultType == "Stopped" or ResultType == "Suspended") 
| project TimeGenerated , RunbookName_s , ResultType , _ResourceId , JobId_g

Runbook 已順利完成，發生錯誤

列出所有已完成且發生錯誤的作業。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobStreams" and StreamType_s == "Error" 
| project TimeGenerated , RunbookName_s , StreamType_s , _ResourceId , ResultDescription , JobId_g

檢視歷史工作狀態

列出所有自動化作業。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and ResultType != "started"
| summarize AggregatedValue = count() by ResultType, bin(TimeGenerated, 1h) , RunbookName_s , JobId_g, _ResourceId

已完成 Azure 自動化作業

列出所有已完成的自動化作業。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.AUTOMATION" and Category == "JobLogs" and ResultType == "Completed" 
| project TimeGenerated , RunbookName_s , ResultType , _ResourceId , JobId_g

microsoft.batch 的查詢

每個作業的成功工作

提供每個作業的成功工作數目。

AzureDiagnostics
| where OperationName=="TaskCompleteEvent"
| where executionInfo_exitCode_d==0 // Your application may use an exit code other than 0 to denote a successful operation
| summarize successfulTasks=count(id_s) by jobId=jobId_s

每個作業失敗的工作

依父作業清單失敗的工作。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where OperationName=="TaskFailEvent"
| summarize failedTaskList=make_list(id_s) by jobId=jobId_s, ResourceId

任務工期

以秒為單位提供任務經過的時間，從工作開始到工作完成。

AzureDiagnostics
| where OperationName=="TaskCompleteEvent"
| extend taskId=id_s, ElapsedTime=datetime_diff('second', executionInfo_endTime_t, executionInfo_startTime_t) // For longer running tasks, consider changing 'second' to 'minute' or 'hour'
| summarize taskList=make_list(taskId) by ElapsedTime

集區重設大小

依集區和結果碼列出重設大小時間， (成功或失敗) 。

AzureDiagnostics
| where OperationName=="PoolResizeCompleteEvent"
| summarize operationTimes=make_list(startTime_s) by poolName=id_s, resultCode=resultCode_s

集區重設大小失敗

依錯誤碼和時間列出集區重設大小失敗。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where OperationName=="PoolResizeCompleteEvent"
| where resultCode_s=="Failure" // Filter only on failed pool resizes
| summarize by poolName=id_s, resultCode=resultCode_s, resultMessage=resultMessage_s, operationTime=startTime_s, ResourceId

microsoft.cdn 的查詢

[Microsoft CDN (傳統) ]每小時的要求數

顯示每小時要求總數的折線圖。

// Summarize number of requests per hour 
// Change bins resolution from 1hr to 5m to get real time results)
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics 
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog" 
| where isReceivedFromClient_b == "true"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Resource, _ResourceId
| render timechart

[Microsoft CDN (傳統) ]依 URL 的流量

依 URL 顯示來自 CDN 邊緣的輸出。

// Change bins resolution from 1 hour to 5 minutes to get real time results)
// CDN edge response traffic by URL
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog" 
| where isReceivedFromClient_b == true
| summarize ResponseBytes = sum(toint(responseBytes_s)) by requestUri_s

[Microsoft CDN (傳統) ] 依 URL 的 4XX 錯誤率

依 URL 顯示 4XX 錯誤率。

// Request errors rate by URL
// Count number of requests with error responses by URL. 
// Summarize number of requests by URL, and status codes are 4XX
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog" and isReceivedFromClient_b == true
| extend Is4XX = (toint(httpStatusCode_s ) >= 400 and toint(httpStatusCode_s ) < 500)
| summarize 4xxrate = (1.0 * countif(Is4XX)  / count()) * 100 by requestUri_s, bin(TimeGenerated, 1h), _ResourceId

[Microsoft CDN (傳統) ]依使用者代理程式要求錯誤

依使用者代理程式計算具有錯誤回應的要求數目。

// Summarize number of requests per user agent and status codes >= 400
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog" 
| where isReceivedFromClient_b == true
| where toint(httpStatusCode_s) >= 400
| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource, _ResourceId
| order by RequestCount desc

[Microsoft CDN (傳統) ]前 10 個 URL 要求計數

依要求計數顯示前10個URL。

// top URLs by request count
// Render line chart showing total requests per hour . 
// Summarize number of requests per hour 
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog" 
| where isReceivedFromClient_b == true
| summarize UserRequestCount = count() by requestUri_s
| order by UserRequestCount
| limit 10

[Microsoft CDN (傳統) ]唯一IP要求計數

顯示唯一IP要求計數。

AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write"and Category == "AzureCdnAccessLog"
| where isReceivedFromClient_b == true
| summarize dcount(clientIp_s) by bin(TimeGenerated, 1h)
| render timechart

[Microsoft CDN (傳統) ]前10名用戶端IP和 HTTP 版本

顯示前10個用戶端IP和 HTTP版本。

// Top 10 client IPs and http versions 
// Show top 10 client IPs and http versions. 
// Summarize top 10 client ips and http versions
AzureDiagnostics
| where OperationName == "Microsoft.Cdn/Profiles/AccessLog/Write" and Category == "AzureCdnAccessLog"
| where isReceivedFromClient_b == true
| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource
| top 10 by RequestCount 
| order by RequestCount desc

[Azure Front Door Standard/Premium]依IP和規則封鎖的前20名用戶端

依IP和規則名稱顯示前20個封鎖的用戶端。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize RequestCount = count() by ClientIP = clientIP_s, UserAgent = userAgent_s, RuleName = ruleName_s,Resource
| top 20 by RequestCount 
| order by RequestCount desc

[Azure Front Door Standard/Premium]依路由傳送至來源的要求

計算每分鐘每個路由和來源的要求數目。摘要說明每個路由和來源每分鐘的要求數目。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize RequestCount = count() by bin(TimeGenerated, 1m), Resource, RouteName = routingRuleName_s, originName = originName_s, ResourceId

[Azure Front Door Standard/Premium]依使用者代理程式要求錯誤

依使用者代理程式計算具有錯誤回應的要求數目。摘要說明每個使用者代理程式的要求數目和狀態代碼 >= 400。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| where toint(httpStatusCode_s) >= 400
| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource, ResourceId
| order by RequestCount desc

[Azure Front Door Standard/Premium]前10名用戶端IP和 HTTP版本

依要求計數顯示前10個用戶端IP和 HTTP 版本。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource
|top 10 by RequestCount 
| order by RequestCount desc

[Azure Front Door Standard/Premium]依主機和路徑要求錯誤

依主機和路徑計算具有錯誤回應的要求數目。依主機、路徑和狀態代碼 >= 400 摘要要求數目。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| where toint(httpStatusCode_s) >= 400
| extend ParsedUrl = parseurl(requestUri_s)
| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), StatusCode = httpStatusCode_s, ResourceId
| order by RequestCount desc

[Azure Front Door Standard/Premium]每小時防火牆封鎖的要求計數

每小時防火牆封鎖的要求計數。依原則摘要說明每小時防火牆封鎖的要求數目。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Policy = policy_s, PolicyMode = policyMode_s, Resource, ResourceId
| order by RequestCount desc

[Azure Front Door Standard/Premium]依主機、路徑、規則和動作的防火牆要求計數

計算主機、路徑、規則和採取動作所處理的防火牆要求。依主機、路徑、規則和動作摘要要求計數。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
| extend ParsedUrl = parseurl(requestUri_s)
| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), RuleName = ruleName_s, Action = action_s, ResourceId
| order by RequestCount desc

[Azure Front Door Standard/Premium]每小時的要求數

顯示每個 FrontDoor 資源每小時要求總數的折線圖。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorWebApplicationFirewallLog"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Resource, ResourceId
| render timechart

[Azure Front Door Standard/Premium]前 10 個 URL 要求計數

依要求計數顯示前10個URL。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize UserRequestCount = count() by requestUri_s
| order by UserRequestCount
| limit 10

[Azure Front Door Standard/Premium]前 10 個 URL 要求計數

依 URL 顯示來自 AFD 邊緣的輸出。將量化解析度從 1 小時變更為 5m，以取得實時結果。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize ResponseBytes = sum(toint(responseBytes_s)) by requestUri_s

[Azure Front Door Standard/Premium]唯一IP要求計數

顯示唯一的IP要求計數。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.CDN" and Category == "FrontDoorAccessLog"
| summarize dcount(clientIp_s) by bin(TimeGenerated, 1h)
| render timechart

microsoft.containerservice 的查詢

在 AzureDiagnostics 中尋找

在 AzureDiagnostics 中尋找以搜尋 AzureDiagnostics 數據表中的特定值。/n 請注意，此查詢需要更新 <SeachValue> 參數才能產生結果

// This query requires a parameter to run. Enter value in SearchValue to find in table.
let SearchValue =  "<SearchValue>";//Please update term you would like to find in the table.
AzureDiagnostics
| where ResourceProvider == "Microsoft.ContainerService"
| where * contains tostring(SearchValue)
| take 1000

microsoft.dbformariadb 的查詢

運行時間超過臨界值

識別其運行時間超過10秒的查詢。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB" 
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s, ResourceId 
| where query_time_d > 10 // You may change the time threshold

顯示最慢的查詢

找出前5名最慢的查詢。

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB" 
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s 
| top 5 by query_time_d desc

顯示查詢的統計數據

依查詢建構摘要統計數據數據表。

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB" 
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s 
| summarize count(), min(query_time_d), max(query_time_d), avg(query_time_d), stdev(query_time_d), percentile(query_time_d, 95) by LogicalServerName_s ,sql_text_s 
|  top 50  by percentile_query_time_d_95 desc

檢閱 GENERAL 類別中的稽核記錄事件

識別伺服器的一般類別事件。

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB" 
| where Category == 'MySqlAuditLogs' and event_class_s == "general_log"
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s 
| order by TimeGenerated asc

檢閱 CONNECTION 類別中的稽核記錄事件

識別伺服器的連線相關事件。

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMARIADB" 
| where Category == 'MySqlAuditLogs' and event_class_s == "connection_log"
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s 
| order by TimeGenerated asc

microsoft.dbformysql 的查詢

運行時間超過臨界值

識別其運行時間超過10秒的查詢。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORMYSQL"
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s, ResourceId 
| where query_time_d > 10 //You may change the time threshold

顯示最慢的查詢

找出前5名最慢的查詢。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORMYSQL" 
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s 
| top 5 by query_time_d desc

顯示查詢的統計數據

依查詢建構摘要統計數據數據表。

AzureDiagnostics
| where ResourceProvider ==  "MICROSOFT.DBFORMYSQL"
| where Category == 'MySqlSlowLogs'
| project TimeGenerated, LogicalServerName_s, event_class_s, start_time_t , query_time_d, sql_text_s 
| summarize count(), min(query_time_d), max(query_time_d), avg(query_time_d), stdev(query_time_d), percentile(query_time_d, 95) by LogicalServerName_s ,sql_text_s 
|  top 50  by percentile_query_time_d_95 desc

檢閱 GENERAL 類別中的稽核記錄事件

識別伺服器的一般類別事件。

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMYSQL"
| where Category == 'MySqlAuditLogs' and event_class_s == "general_log"
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s 
| order by TimeGenerated asc

檢閱 CONNECTION 類別中的稽核記錄事件

識別伺服器的連線相關事件。

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORMYSQL"
| where Category == 'MySqlAuditLogs' and event_class_s == "connection_log"
| project TimeGenerated, LogicalServerName_s, event_class_s, event_subclass_s, event_time_t, user_s , ip_s , sql_text_s 
| order by TimeGenerated asc

microsoft.dbforpostgresql 的查詢

自動數據清理事件

搜尋過去 24 小時內的自動數據清理事件。它需要啟用參數『log_autovacuum_min_duration』。

AzureDiagnostics
| where TimeGenerated > ago(1d) 
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 
| where Category == "PostgreSQLLogs"
| where Message contains "automatic vacuum"

伺服器重新啟動

搜尋伺服器關閉和伺服器就緒事件。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 
| where Category == "PostgreSQLLogs"
| where Message contains "database system was shut down at" or Message contains "database system is ready to accept"

尋找錯誤

搜尋過去 6 小時內的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where TimeGenerated > ago(6h)
| where Category == "PostgreSQLLogs"
| where  errorLevel_s contains "error"

未經授權的連線

搜尋未經授權的 (拒絕) 連線嘗試。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 
| where Category == "PostgreSQLLogs"
| where Message contains "password authentication failed" or Message contains "no pg_hba.conf entry for host"

死結

搜尋死結事件。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 
| where Category == "PostgreSQLLogs"
| where Message contains "deadlock detected"

鎖定爭用

搜尋鎖定爭用。它需要 log_lock_waits=ON，而且取決於deadlock_timeout設定。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 
| where Message contains "still waiting for ShareLock on transaction"

稽核記錄

取得所有稽核記錄。它需要啟用稽核記錄 [https://docs.microsoft.com/azure/postgresql/concepts-audit]。

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 
| where Category == "PostgreSQLLogs"
| where Message contains "AUDIT:"

數據表 () 和事件類型的稽核記錄 (s)

搜尋特定數據表和事件類型的 DDL 稽核記錄。其他事件類型為 READ、WRITE、FUNCTION、MISC。它需要啟用稽核記錄。 [https://docs.microsoft.com/azure/postgresql/concepts-audit].

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.DBFORPOSTGRESQL" 
| where Category == "PostgreSQLLogs"
| where Message contains "AUDIT:" 
| where Message contains "table name" and Message contains "DDL"

運行時間超過閾值的查詢

識別需要超過10秒的查詢。查詢存放區會將實際查詢正規化，以匯總類似的查詢。根據預設，專案會每隔 15 分鐘匯總一次。查詢會利用每 15 分鐘的平均運行時間，以及其他查詢統計數據，例如 max、min，可以適當地使用。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| project TimeGenerated, LogicalServerName_s, event_type_s , mean_time_s , db_id_s , start_time_s , query_id_s, _ResourceId
| where todouble(mean_time_s) > 0 // You may change the time threshold

最慢的查詢

識別前 5 個最慢的查詢。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| summarize avg(todouble(mean_time_s)) by event_class_s , db_id_s ,query_id_s
| top 5 by avg_mean_time_s desc

查詢統計資料

依查詢建構摘要統計數據數據表。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| summarize sum(toint(calls_s)), min(todouble(min_time_s)),max(todouble(max_time_s)),avg(todouble(mean_time_s)),percentile(todouble(mean_time_s),95) by  db_id_s ,query_id_s
| order by percentile_mean_time_s_95 desc nulls last

執行計數趨勢

依查詢匯總 15 分鐘間隔的執行趨勢。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreRuntimeStatistics"
| where user_id_s != "10" //exclude azure system user
| summarize sum(toint(calls_s)) by  tostring(query_id_s), bin(TimeGenerated, 15m), ResourceId
| render timechart

前幾名等候事件

依查詢識別前 5 個等候事件。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreWaitStatistics"
| where user_id_s != "10" //exclude azure system user
| where query_id_s != 0
| summarize sum(toint(calls_s)) by event_s, query_id_s, bin(TimeGenerated, 15m)
| top 5 by sum_calls_s desc nulls last

等候事件趨勢

顯示一段時間的等候事件趨勢。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DBFORPOSTGRESQL"
| where Category == "QueryStoreWaitStatistics"
| where user_id_s != "10" //exclude azure system user
| extend query_id_s = tostring(query_id_s)
| summarize sum(toint(calls_s)) by event_s, query_id_s, bin(TimeGenerated, 15m), ResourceId // You may change the time threshold 
| render timechart

microsoft.devices 的查詢

Connectvity 錯誤

識別裝置連線錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where Category == "Connections" and Level == "Error"

大部分節流錯誤的裝置

識別發出最多要求的裝置，導致節流錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where ResultType == "429001"
| extend DeviceId = tostring(parse_json(properties_s).deviceId)
| summarize count() by DeviceId, Category , _ResourceId
| order by count_ desc

無效端點

根據回報問題的次數以及原因，找出死或狀況不良的端點。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where Category == "Routes" and OperationName in ("endpointDead", "endpointUnhealthy")
| extend parsed_json = parse_json(properties_s)
| extend Endpoint   = tostring(parsed_json.endpointName), Reason =tostring(parsed_json.details) 
| summarize count() by Endpoint, OperationName, Reason, _ResourceId
| order by count_ desc

錯誤摘要

依類型跨所有作業的錯誤計數。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where Level == "Error"
| summarize count() by ResultType, ResultDescription, Category, _ResourceId

裝置的 SDK 版本

裝置及其 SDK 版本的清單。

// this query works on device connection or when your device uses device to cloud twin operations
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.DEVICES" and ResourceType == "IOTHUBS"
| where Category == "Connections" or  Category == "D2CTwinOperations"
| extend parsed_json = parse_json(properties_s) 
| extend SDKVersion = tostring(parsed_json.sdkVersion) , DeviceId = tostring(parsed_json.deviceId)
| distinct DeviceId, SDKVersion, TimeGenerated, _ResourceId

microsoft.documentdb 的查詢

過去24小時內已取用的 RU/秒

識別 Cosmos 資料庫和集合上已取用的 RU/秒。

// To create an alert for this query, click '+ New alert rule'
//You can compare the RU/s consumption with your provisioned RU/s to determine if you should scale up or down RU/s based on your workload.
AzureDiagnostics
| where TimeGenerated >= ago(24hr)
| where Category == "DataPlaneRequests"
//| where collectionName_s == "CollectionToAnalyze" //Replace to target the query to a collection
| summarize ConsumedRUsPerMinute = sum(todouble(requestCharge_s)) by collectionName_s, _ResourceId, bin(TimeGenerated, 1m)
| project TimeGenerated , ConsumedRUsPerMinute , collectionName_s, _ResourceId
| render timechart

過去24小時內具有節流 (429) 的集合

識別已收到 429 個 (節流) 的集合和作業，這些節流會在取用的輸送量 (RU/秒) 超過布建的輸送量時發生。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where TimeGenerated >= ago(24hr)
| where Category == "DataPlaneRequests"
| where statusCode_s == 429 
| summarize numberOfThrottles = count() by databaseName_s, collectionName_s, requestResourceType_s, _ResourceId, bin(TimeGenerated, 1hr)
| order by numberOfThrottles

過去 24 小時內已取用的要求單位 (RU) 的熱門作業

依每個作業的計數和取用 RU 來識別 Cosmos 資源上的熱門作業。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where TimeGenerated >= ago(24h)
| where Category == "DataPlaneRequests"
| summarize numberOfOperations = count(), totalConsumedRU = sum(todouble(requestCharge_s)) by databaseName_s, collectionName_s, OperationName, requestResourceType_s, requestResourceId_s, _ResourceId
| extend averageRUPerOperation = totalConsumedRU / numberOfOperations 
| order by numberOfOperations

依記憶體排序的前幾個邏輯分割區索引鍵

識別最大的邏輯分割區索引鍵值。 PartitionKeyStatistics 會依記憶體發出最上層邏輯分割索引鍵的數據。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where Category == "PartitionKeyStatistics"
//| where collectionName_s == "CollectionToAnalyze" //Replace to target the query to a collection
| summarize arg_max(TimeGenerated, *) by databaseName_s, collectionName_s, partitionKey_s, _ResourceId //Get the latest storage size
| extend utilizationOf20GBLogicalPartition = sizeKb_d / 20000000 //20GB
| project TimeGenerated, databaseName_s , collectionName_s , partitionKey_s, sizeKb_d, utilizationOf20GBLogicalPartition, _ResourceId

microsoft.eventhub 的查詢

[傳統]擷取失敗的持續時間

摘要說明擷取失敗的重複。

AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.EVENTHUB\"
| where Category == \"ArchiveLogs\"
| summarize count() by \"failures\", \"durationInSeconds\", _ResourceId

[傳統]加入用戶端的要求

摘要說明客戶端的聯結要求狀態。

AzureDiagnostics // Need to turn on the Capture for this 
| where ResourceProvider == \"MICROSOFT.EVENTHUB\"
|  project \"OperationName\"

[傳統]keyvault 的存取權 - 找不到金鑰

摘要說明找不到金鑰時金鑰保存庫的存取權。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.EVENTHUB\"
| where Category == \"Error\" and OperationName == \"wrapkey\"
| project Message, _ResourceId

[傳統]使用keyvault執行的作業

摘要說明使用keyvault執行的作業，以停用或還原密鑰。

AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.EVENTHUB\"
| where Category == \"info\" and OperationName == \"disable\" or OperationName == \"restore\"
| project Message

過去 7 天內的錯誤

這會列出過去 7 天的所有錯誤。

AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceProvider =="MICROSOFT.EVENTHUB"
| where Category == "OperationalLogs"
| summarize count() by "EventName", _ResourceId

擷取失敗的持續時間

摘要說明擷取失敗的重複。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.EVENTHUB"
| where Category == "ArchiveLogs"
| summarize count() by "failures", "durationInSeconds", _ResourceId

加入用戶端的要求

摘要說明客戶端的聯結要求狀態。

AzureDiagnostics // Need to turn on the Capture for this 
| where ResourceProvider == "MICROSOFT.EVENTHUB"
|  project "OperationName"

keyvault 的存取權 - 找不到金鑰

摘要說明找不到金鑰時金鑰保存庫的存取權。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.EVENTHUB" 
| where Category == "Error" and OperationName == "wrapkey"
| project Message, ResourceId

使用keyvault執行的作業

摘要說明使用keyvault執行的作業，以停用或還原密鑰。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.EVENTHUB"
| where Category == "info" and OperationName == "disable" or OperationName == "restore"
| project Message

microsoft.keyvault 的查詢

[傳統]此 KeyVault 的作用程度如何？

[傳統]顯示 KeyVault 要求數量趨勢的折線圖，依一段時間的作業數。

// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. 
// Filter on ResourceProvider for logs specific to a service.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT" 
| summarize count() by bin(TimeGenerated, 1h), OperationName // Aggregate by hour
| render timechart

[傳統]誰正在呼叫此 KeyVault？

[傳統]其IP位址及其要求計數所識別的呼叫端清單。

// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. 
// Filter on ResourceProvider for logs specific to a service.
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT"
| summarize count() by CallerIPAddress

[傳統]是否有任何緩慢的要求？

[傳統]花費超過 1 秒的 KeyVault 要求清單。

// To create an alert for this query, click '+ New alert rule'
let threshold=1000; // let operator defines a constant that can be further used in the query
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT" 
| where DurationMs > threshold
| summarize count() by OperationName, _ResourceId

[傳統]此 KeyVault 提供要求的速度有多快？

[傳統]折線圖顯示一段時間內使用不同匯總的要求持續時間趨勢。

AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT" 
| summarize avg(DurationMs) by requestUri_s, bin(TimeGenerated, 1h) // requestUri_s contains the URI of the request
| render timechart

[傳統]是否有任何失敗？

[傳統]依狀態代碼的失敗 KeyVault 要求計數。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider =="MICROSOFT.KEYVAULT" 
| where httpStatusCode_d >= 300 and not(OperationName == "Authentication" and httpStatusCode_d == 401)
| summarize count() by requestUri_s, ResultSignature, _ResourceId
// ResultSignature contains HTTP status, e.g. "OK" or "Forbidden"
// httpStatusCode_d contains HTTP status code returned by the request (e.g.  200, 300 or 401)
// requestUri_s contains the URI of the request

[傳統]上個月發生哪些變更？

[傳統]清單過去 30 天內的所有更新和修補要求。

// KeyVault diagnostic currently stores logs in AzureDiagnostics table which stores logs for multiple services. 
// Filter on ResourceProvider for logs specific to a service.
AzureDiagnostics
| where TimeGenerated > ago(30d) // Time range specified in the query. Overrides time picker in portal.
| where ResourceProvider =="MICROSOFT.KEYVAULT" 
| where OperationName == "VaultPut" or OperationName == "VaultPatch"
| sort by TimeGenerated desc

[傳統]列出所有輸入還原串行化錯誤

[傳統]顯示因作業無法還原串行化之格式錯誤所造成的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT" and parse_json(properties_s).DataErrorType in ("InputDeserializerError.InvalidData", "InputDeserializerError.TypeConversionError", "InputDeserializerError.MissingColumns", "InputDeserializerError.InvalidHeader", "InputDeserializerError.InvalidCompressionType")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

[傳統]在 AzureDiagnostics 中尋找

[傳統]在 AzureDiagnostics 中尋找以搜尋 AzureDiagnostics 數據表中的特定值。/nNote 指出此查詢需要更新 <SeachValue> 參數以產生結果

// This query requires a parameter to run. Enter value in SearchValue to find in table.
let SearchValue =  "<SearchValue>";//Please update term you would like to find in the table.
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.KEYVAULT"
| where * contains tostring(SearchValue)
| take 1000

microsoft.logic 的查詢

可計費的總執行次數

依作業名稱計費的執行總數。

// Total billable executions
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where Category == "WorkflowRuntime" 
| where OperationName has "workflowTriggerStarted" or OperationName has "workflowActionStarted" 
| summarize dcount(resource_runId_s) by OperationName, resource_workflowName_s

依工作流程的邏輯應用程式執行散發

邏輯應用程式執行的每小時時間圖，依工作流程散發。

// Hourly Time chart for Logic App execution distribution by workflows
AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.LOGIC"
| where Category == "WorkflowRuntime"
| where OperationName has "workflowRunStarted"
| summarize dcount(resource_runId_s) by bin(TimeGenerated, 1h), resource_workflowName_s
| render timechart

依狀態的邏輯應用程式執行散發

工作流程、狀態和錯誤已完成執行。

//logic app execution status summary
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.LOGIC"
| where OperationName has "workflowRunCompleted"
| summarize dcount(resource_runId_s) by resource_workflowName_s, status_s, error_code_s
| project LogicAppName = resource_workflowName_s , NumberOfExecutions = dcount_resource_runId_s , RunStatus = status_s , Error = error_code_s

觸發的失敗計數

依資源名稱顯示所有邏輯應用程式執行的動作/觸發程序失敗。

// To create an alert for this query, click '+ New alert rule'
//Action/Trigger failures for all Logic App executions
AzureDiagnostics
| where ResourceProvider  == "MICROSOFT.LOGIC"  
| where Category == "WorkflowRuntime" 
| where status_s == "Failed" 
| where OperationName has "workflowActionCompleted" or OperationName has "workflowTriggerCompleted" 
| extend ResourceName = coalesce(resource_actionName_s, resource_triggerName_s) 
| extend ResourceCategory = substring(OperationName, 34, strlen(OperationName) - 43) | summarize dcount(resource_runId_s) by code_s, ResourceName, resource_workflowName_s, ResourceCategory, _ResourceId
| project ResourceCategory, ResourceName , FailureCount = dcount_resource_runId_s , ErrorCode = code_s, LogicAppName = resource_workflowName_s, _ResourceId 
| order by FailureCount desc

microsoft.network 的查詢

每小時的要求數

應用程式閘道上的傳入要求計數。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess"
| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId
| render timechart

每小時的非 SSL 要求

應用程式閘道上的非 SSL 要求計數。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and sslEnabled_s == "off"
| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId
| render timechart

每小時失敗的要求數

應用程式閘道回應錯誤的要求計數。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399
| summarize AggregatedValue = count() by bin(TimeGenerated, 1h), _ResourceId
| render timechart

依使用者代理程式區分的錯誤

依使用者代理程序的錯誤數目。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399
| summarize AggregatedValue = count() by userAgent_s, _ResourceId
| sort by AggregatedValue desc

依 URI 的錯誤

依 URI 的錯誤數目。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess" and httpStatus_d > 399
| summarize AggregatedValue = count() by requestUri_s, _ResourceId
| sort by AggregatedValue desc

前10名用戶端IP

每個用戶端IP的要求計數。

AzureDiagnostics
| where ResourceType == "APPLICATIONGATEWAYS" and OperationName == "ApplicationGatewayAccess"
| summarize AggregatedValue = count() by clientIP_s
| top 10 by AggregatedValue

網路安全性事件

尋找網路安全性事件報告封鎖的連入流量。

AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK"  
| where Category == "NetworkSecurityGroupEvent"  
| where direction_s == "In" and type_s == "block"

每小時的要求數

顯示每個 FrontDoor 資源每小時要求總數的折線圖。

// Summarize number of requests per hour for each FrontDoor resource
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Resource, ResourceId
| render timechart

透過路由規則轉送的後端要求

每分鐘每個路由規則和後端主機的要求計數。

// Summarize number of requests per minute for each routing rule and backend host
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| summarize RequestCount = count() by bin(TimeGenerated, 1m), Resource, RoutingRuleName = routingRuleName_s, BackendHostname = backendHostname_s, ResourceId

依主機和路徑要求錯誤

依主機和路徑計算具有錯誤回應的要求數目。

// Summarize number of requests by host, path, and status codes >= 400
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| where toint(httpStatusCode_s) >= 400
| extend ParsedUrl = parseurl(requestUri_s)
| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), StatusCode = httpStatusCode_s, ResourceId
| order by RequestCount desc

依使用者代理程式要求錯誤

依使用者代理程式計算具有錯誤回應的要求數目。

// Summarize number of requests per user agent and status codes >= 400
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| where toint(httpStatusCode_s) >= 400
| summarize RequestCount = count() by UserAgent = userAgent_s, StatusCode = httpStatusCode_s , Resource, ResourceId
| order by RequestCount desc

前10名用戶端IP和 HTTP版本

顯示前10個用戶端IP和 HTTP版本。

// Summarize top 10 client ips and http versions
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorAccessLog"
| summarize RequestCount = count() by ClientIP = clientIp_s, HttpVersion = httpVersion_s, Resource
| top 10 by RequestCount 
| order by RequestCount desc

每小時防火牆封鎖的要求計數

每小時防火牆封鎖的要求計數。

// Summarize number of firewall blocked requests per hour by policy
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize RequestCount = count() by bin(TimeGenerated, 1h), Policy = policy_s, PolicyMode = policyMode_s, Resource, ResourceId
| order by RequestCount desc

依IP和規則封鎖的前20名用戶端

依IP和規則名稱顯示前20個封鎖的用戶端。

// Summarize top 20 blocked clients by IP and rule
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| where action_s == "Block"
| summarize RequestCount = count() by ClientIP = clientIP_s, UserAgent = userAgent_s, RuleName = ruleName_s ,Resource
| top 20 by RequestCount 
| order by RequestCount desc

依主機、路徑、規則和動作的防火牆要求計數

計算主機、路徑、規則和採取動作所處理的防火牆要求。

// Summarize request count by host, path, rule, and action
// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.NETWORK" and Category == "FrontdoorWebApplicationFirewallLog"
| extend ParsedUrl = parseurl(requestUri_s)
| summarize RequestCount = count() by Host = tostring(ParsedUrl.Host), Path = tostring(ParsedUrl.Path), RuleName = ruleName_s, Action = action_s, ResourceId
| order by RequestCount desc

應用程式規則記錄資料

剖析應用程式規則記錄數據。

AzureDiagnostics
| where Category == "AzureFirewallApplicationRule"
//this first parse statement is valid for all entries as they all start with this format
| parse msg_s with Protocol " request from " SourceIP ":" SourcePort:int * 
//Parse action as this is the same for all log lines 
| parse kind=regex flags=U msg_s with * ". Action\\: " Action "\\."
// case1: Action: A. Reason: R.
| parse kind=regex flags=U msg_s with "\\. Reason\\: " Reason "\\."
//case 2a: to FQDN:PORT Url: U. Action: A. Policy: P. Rule Collection Group: RCG. Rule Collection: RC. Rule: R.
| parse msg_s with * "to " FQDN ":" TargetPort:int * "." *
//Parse policy if present
| parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
| parse msg_s with * " Rule Collection: " RuleCollection ". Rule: " Rule
//case 2.b: Web Category: WC.
| parse Rule with * ". Web Category: " WebCategory
//case 3: No rule matched. Proceeding with default action"
| extend DefaultRule = iff(msg_s contains "No rule matched. Proceeding with default action", true, false)
| extend 
SourcePort = tostring(SourcePort),
TargetPort = tostring(TargetPort)
| extend 
 Action = case(Action == "","N/A", case(DefaultRule, "Deny" ,Action)),
 FQDN = case(FQDN == "", "N/A", FQDN),
 TargetPort = case(TargetPort == "", "N/A", tostring(TargetPort)),
 Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,case(Policy == "", "N/A", Policy)),
 RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup)),
 RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], case(RuleCollection == "", "N/A", RuleCollection)),
 WebCategory = case(WebCategory == "", "N/A", WebCategory),
 Rule = case(Rule == "" , "N/A", case(WebCategory == "N/A", Rule, split(Rule, '.')[0])),
 Reason = case(Reason == "", case(DefaultRule, "No rule matched - default action", "N/A"), Reason )
| project TimeGenerated, msg_s, Protocol, SourceIP, SourcePort, FQDN, TargetPort, Action, Policy, RuleCollectionGroup, RuleCollection, Rule, Reason ,WebCategory

網路規則記錄資料

剖析網路規則記錄數據。

AzureDiagnostics
| where Category == "AzureFirewallNetworkRule"
| where OperationName == "AzureFirewallNatRuleLog" or OperationName == "AzureFirewallNetworkRuleLog"
//case 1: for records that look like this:
//PROTO request from IP:PORT to IP:PORT.
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
//case 1a: for regular network rules
| parse kind=regex flags=U msg_s with * ". Action\\: " Action1a "\\."
//case 1b: for NAT rules
//TCP request from IP:PORT to IP:PORT was DNAT'ed to IP:PORT
| parse msg_s with * " was " Action1b:string " to " TranslatedDestination:string ":" TranslatedPort:int *
//Parse rule data if present
| parse msg_s with * ". Policy: " Policy ". Rule Collection Group: " RuleCollectionGroup "." *
| parse msg_s with * " Rule Collection: "  RuleCollection ". Rule: " Rule 
//case 2: for ICMP records
//ICMP request from 10.0.2.4 to 10.0.3.4. Action: Allow
| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2
| extend
SourcePort = tostring(SourcePortInt),
TargetPort = tostring(TargetPortInt)
| extend 
    Action = case(Action1a == "", case(Action1b == "",Action2,Action1b), split(Action1a,".")[0]),
    Protocol = case(Protocol == "", Protocol2, Protocol),
    SourceIP = case(SourceIP == "", SourceIP2, SourceIP),
    TargetIP = case(TargetIP == "", TargetIP2, TargetIP),
    //ICMP records don't have port information
    SourcePort = case(SourcePort == "", "N/A", SourcePort),
    TargetPort = case(TargetPort == "", "N/A", TargetPort),
    //Regular network rules don't have a DNAT destination
    TranslatedDestination = case(TranslatedDestination == "", "N/A", TranslatedDestination), 
    TranslatedPort = case(isnull(TranslatedPort), "N/A", tostring(TranslatedPort)),
    //Rule information
    Policy = case(Policy == "", "N/A", Policy),
    RuleCollectionGroup = case(RuleCollectionGroup == "", "N/A", RuleCollectionGroup ),
    RuleCollection = case(RuleCollection == "", "N/A", RuleCollection ),
    Rule = case(Rule == "", "N/A", Rule)
| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action, TranslatedDestination, TranslatedPort, Policy, RuleCollectionGroup, RuleCollection, Rule

威脅情報規則記錄數據

剖析威脅情報規則記錄數據。

AzureDiagnostics
| where OperationName  == "AzureFirewallThreatIntelLog"
| parse msg_s with Protocol " request from " SourceIP ":" SourcePortInt:int " to " TargetIP ":" TargetPortInt:int *
| parse msg_s with * ". Action: " Action "." Message
| parse msg_s with Protocol2 " request from " SourceIP2 " to " TargetIP2 ". Action: " Action2
| extend SourcePort = tostring(SourcePortInt),TargetPort = tostring(TargetPortInt)
| extend Protocol = case(Protocol == "", Protocol2, Protocol),SourceIP = case(SourceIP == "", SourceIP2, SourceIP),TargetIP = case(TargetIP == "", TargetIP2, TargetIP),SourcePort = case(SourcePort == "", "N/A", SourcePort),TargetPort = case(TargetPort == "", "N/A", TargetPort)
| sort by TimeGenerated desc 
| project TimeGenerated, msg_s, Protocol, SourceIP,SourcePort,TargetIP,TargetPort,Action,Message

Azure 防火牆記錄數據

如果您想要從網路規則、應用程式規則、NAT 規則、標識碼、威脅情報等剖析記錄，請從此查詢開始，以了解為何允許或拒絕特定流量。此查詢會顯示最後 100 筆記錄檔記錄，但藉由在查詢結尾新增簡單的篩選語句，即可調整結果。

// Parses the azure firewall rule log data. 
// Includes network rules, application rules, threat intelligence, ips/ids, ...
AzureDiagnostics
| where Category == "AzureFirewallNetworkRule" or Category == "AzureFirewallApplicationRule"
//optionally apply filters to only look at a certain type of log data
//| where OperationName == "AzureFirewallNetworkRuleLog"
//| where OperationName == "AzureFirewallNatRuleLog"
//| where OperationName == "AzureFirewallApplicationRuleLog"
//| where OperationName == "AzureFirewallIDSLog"
//| where OperationName == "AzureFirewallThreatIntelLog"
| extend msg_original = msg_s
// normalize data so it's eassier to parse later
| extend msg_s = replace(@'. Action: Deny. Reason: SNI TLS extension was missing.', @' to no_data:no_data. Action: Deny. Rule Collection: default behavior. Rule: SNI TLS extension missing', msg_s)
| extend msg_s = replace(@'No rule matched. Proceeding with default action', @'Rule Collection: default behavior. Rule: no rule matched', msg_s)
// extract web category, then remove it from further parsing
| parse msg_s with * " Web Category: " WebCategory
| extend msg_s = replace(@'(. Web Category:).*','', msg_s)
// extract RuleCollection and Rule information, then remove it from further parsing
| parse msg_s with * ". Rule Collection: " RuleCollection ". Rule: " Rule
| extend msg_s = replace(@'(. Rule Collection:).*','', msg_s)
// extract Rule Collection Group information, then remove it from further parsing
| parse msg_s with * ". Rule Collection Group: " RuleCollectionGroup
| extend msg_s = replace(@'(. Rule Collection Group:).*','', msg_s)
// extract Policy information, then remove it from further parsing
| parse msg_s with * ". Policy: " Policy
| extend msg_s = replace(@'(. Policy:).*','', msg_s)
// extract IDS fields, for now it's always add the end, then remove it from further parsing
| parse msg_s with * ". Signature: " IDSSignatureIDInt ". IDS: " IDSSignatureDescription ". Priority: " IDSPriorityInt ". Classification: " IDSClassification
| extend msg_s = replace(@'(. Signature:).*','', msg_s)
// extra NAT info, then remove it from further parsing
| parse msg_s with * " was DNAT'ed to " NatDestination
| extend msg_s = replace(@"( was DNAT'ed to ).*",". Action: DNAT", msg_s)
// extract Threat Intellingence info, then remove it from further parsing
| parse msg_s with * ". ThreatIntel: " ThreatIntel
| extend msg_s = replace(@'(. ThreatIntel:).*','', msg_s)
// extract URL, then remove it from further parsing
| extend URL = extract(@"(Url: )(.*)(\. Action)",2,msg_s)
| extend msg_s=replace(@"(Url: .*)(Action)",@"\2",msg_s)
// parse remaining "simple" fields
| parse msg_s with Protocol " request from " SourceIP " to " Target ". Action: " Action
| extend 
    SourceIP = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",0),""),SourceIP),
    SourcePort = iif(SourceIP contains ":",strcat_array(split(SourceIP,":",1),""),""),
    Target = iif(Target contains ":",strcat_array(split(Target,":",0),""),Target),
    TargetPort = iif(SourceIP contains ":",strcat_array(split(Target,":",1),""),""),
    Action = iif(Action contains ".",strcat_array(split(Action,".",0),""),Action),
    Policy = case(RuleCollection contains ":", split(RuleCollection, ":")[0] ,Policy),
    RuleCollectionGroup = case(RuleCollection contains ":", split(RuleCollection, ":")[1], RuleCollectionGroup),
    RuleCollection = case(RuleCollection contains ":", split(RuleCollection, ":")[2], RuleCollection),
    IDSSignatureID = tostring(IDSSignatureIDInt),
    IDSPriority = tostring(IDSPriorityInt)
| project msg_original,TimeGenerated,Protocol,SourceIP,SourcePort,Target,TargetPort,URL,Action, NatDestination, OperationName,ThreatIntel,IDSSignatureID,IDSSignatureDescription,IDSPriority,IDSClassification,Policy,RuleCollectionGroup,RuleCollection,Rule,WebCategory
| order by TimeGenerated
| limit 100

Azure 防火牆 DNS Proxy 記錄數據

如果您想要瞭解防火牆 DNS Proxy 記錄數據，請從此查詢開始。此查詢會顯示最後 100 筆記錄檔記錄，但藉由在查詢結尾新增簡單的篩選語句，即可調整結果。

// DNS proxy log data 
// Parses the DNS proxy log data. 
AzureDiagnostics
| where Category == "AzureFirewallDnsProxy"
| parse msg_s with "DNS Request: " SourceIP ":" SourcePortInt:int " - " QueryID:int " " RequestType " " RequestClass " " hostname ". " protocol " " details
| extend
    ResponseDuration = extract("[0-9]*.?[0-9]+s$", 0, msg_s),
    SourcePort = tostring(SourcePortInt),
    QueryID =  tostring(QueryID)
| project TimeGenerated,SourceIP,hostname,RequestType,ResponseDuration,details,msg_s
| order by TimeGenerated
| limit 100

BGP 路由表

過去 12 小時內學到的 BPG 路由表。

AzureDiagnostics
| where TimeGenerated > ago(12h)
| where ResourceType == "EXPRESSROUTECIRCUITS"
| project TimeGenerated , ResourceType , network_s , path_s , OperationName

BGP 參考訊息

依層級、資源類型和網路排序的 BGP 資訊訊息。

AzureDiagnostics
| where Level == "Informational"
| project TimeGenerated , ResourceId, Level, ResourceType , network_s , path_s

監視狀態關閉的端點

找出 Azure 流量管理員端點的監視狀態關閉的原因。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceType == "TRAFFICMANAGERPROFILES"  and Category  == "ProbeHealthStatusEvents"
| where Status_s == "Down"
| project TimeGenerated, EndpointName_s, Status_s, ResultDescription, SubscriptionId , _ResourceId

成功的 P2S 連線

過去 12 小時內成功的 P2S 連線。

AzureDiagnostics 
| where TimeGenerated > ago(12h)
| where Category == "P2SDiagnosticLog" and Message has "Connection successful"
| project TimeGenerated, Resource ,Message

P2S 連線失敗

過去12小時內的P2S連線失敗。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics 
| where TimeGenerated > ago(12h)
| where Category == "P2SDiagnosticLog" and Message has "Connection failed"
| project TimeGenerated, Resource ,Message

閘道組態變更

在過去 24 小時內，系統管理員所做的閘道設定變更成功。

AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "GatewayDiagnosticLog" and operationStatus_s == "Success" and configuration_ConnectionTrafficType_s == "Internet"
| project TimeGenerated, Resource, OperationName, Message, operationStatus_s

S2S 通道 connet/disconnect 事件

過去24小時內的SS道聯機/中斷連線事件。

AzureDiagnostics 
| where TimeGenerated > ago(24h)
| where Category == "TunnelDiagnosticLog" and (status_s == "Connected" or status_s == "Disconnected")
| project TimeGenerated, Resource , status_s, remoteIP_s, stateChangeReason_s

BGP 路由更新

過去24小時內的 BGP 路由更新。

AzureDiagnostics
| where TimeGenerated > ago(24h)
| where Category == "RouteDiagnosticLog" and OperationName == "BgpRouteUpdate"

顯示來自 AzureDiagnostics 數據表的記錄

清單 AzureDiagnostics 數據表中的最新記錄，依時間 (最新的第一個) 排序。

AzureDiagnostics
| top 10 by TimeGenerated

microsoft.recoveryservices 的查詢

備份作業失敗

尋找過去一天回報的備份作業失敗的記錄。

AzureDiagnostics  
| where ResourceProvider == "MICROSOFT.RECOVERYSERVICES" and Category == "AzureBackupReport"  
| where OperationName == "Job" and JobOperation_s == "Backup" and JobStatus_s == "Failed" 
| project TimeGenerated, JobUniqueId_g, JobStartDateTime_s, JobOperation_s, JobOperationSubType_s, JobStatus_s , JobFailureCode_s, JobDurationInSecs_s , AdHocOrScheduledJob_s

microsoft.servicebus 的查詢

[傳統]列出管理作業

這會列出所有管理呼叫。

AzureDiagnostics
| where ResourceProvider ==\"MICROSOFT.SERVICEBUS\"
| where Category == \"OperationalLogs\"
| summarize count() by EventName_s, _ResourceId

[傳統]錯誤摘要

摘要說明所有遇到的錯誤。

AzureDiagnostics
| where ResourceProvider ==\"MICROSOFT.SERVICEBUS\"
| where Category == \"Error\"
| summarize count() by EventName_s, _ResourceId

[傳統]Keyvault 存取嘗試 - 找不到金鑰

摘要說明找不到金鑰時金鑰保存庫的存取權。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.SERVICEBUS\"
| where Category == \"Error\" and OperationName == \"wrapkey\"
| project Message, _ResourceId

[傳統]AutoDeleted 實體

已自動刪除之所有實體的摘要。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.SERVICEBUS\"
| where Category == \"OperationalLogs\"
| where EventName_s startswith \"AutoDelete\"
| summarize count() by EventName_s, _ResourceId

[傳統]Keyvault 已執行作業

摘要說明使用keyvault執行的作業，以停用或還原密鑰。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == \"MICROSOFT.SERVICEBUS\"
| where (Category == \"info\" and (OperationName == \"disable\" or OperationName == \"restore\"))
| project Message, _ResourceId

過去 7 天內的管理作業

這會列出過去 7 天的所有管理話務。

AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceProvider =="MICROSOFT.SERVICEBUS"
| where Category == "OperationalLogs"
| summarize count() by EventName_s, _ResourceId

錯誤摘要

摘要說明過去 7 天內看到的所有錯誤。

AzureDiagnostics
| where TimeGenerated > ago(7d)
| where ResourceProvider =="MICROSOFT.SERVICEBUS"
| where Category == "Error" 
| summarize count() by EventName_s, _ResourceId

Keyvault 存取嘗試 - 找不到金鑰

摘要說明找不到金鑰時金鑰保存庫的存取權。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SERVICEBUS" 
| where Category == "Error" and OperationName == "wrapkey"
| project Message, _ResourceId

AutoDeleted 實體

已自動刪除之所有實體的摘要。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SERVICEBUS"
| where Category == "OperationalLogs"
| where EventName_s startswith "AutoDelete"
| summarize count() by EventName_s, _ResourceId

Keyvault 已執行作業

摘要說明使用keyvault執行的作業，以停用或還原密鑰。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SERVICEBUS"
| where (Category == "info" and (OperationName == "disable" or OperationName == "restore"))
| project Message, _ResourceId

查詢microsoft.sql

受控實例上超過90%的記憶體

顯示記憶體使用率高於90%的所有受控實例。

// To create an alert for this query, click '+ New alert rule'
let storage_percentage_threshold = 90;
AzureDiagnostics
| where Category =="ResourceUsageStats"
| summarize (TimeGenerated, calculated_storage_percentage) = arg_max(TimeGenerated, todouble(storage_space_used_mb_s) *100 / todouble (reserved_storage_mb_s))
   by _ResourceId
| where calculated_storage_percentage > storage_percentage_threshold

受控實例上的 CPU 使用率高於 95%

顯示 CPU treshold 超過 95% 的 treshold 的所有受控實例。

// To create an alert for this query, click '+ New alert rule'
let cpu_percentage_threshold = 95;
let time_threshold = ago(1h);
AzureDiagnostics
| where Category == "ResourceUsageStats" and TimeGenerated > time_threshold
| summarize avg_cpu = max(todouble(avg_cpu_percent_s)) by _ResourceId
| where avg_cpu > cpu_percentage_threshold

顯示所有作用中的智慧型手機深入解析

顯示智慧型手機深入解析偵測到的所有作用中效能問題。請注意，必須針對受監視的每個資料庫啟用 SQLInsights 記錄。

AzureDiagnostics
| where Category == "SQLInsights" and status_s == "Active"
| distinct rootCauseAnalysis_s

等候統計資料

依邏輯伺服器和資料庫等候過去一小時的統計數據。

AzureDiagnostics
| where ResourceProvider == "MICROSOFT.SQL"
| where TimeGenerated >= ago(60min)
| parse _ResourceId with * "/microsoft.sql/servers/" LogicalServerName "/databases/" DatabaseName
| summarize Total_count_60mins = sum(delta_waiting_tasks_count_d) by LogicalServerName, DatabaseName, wait_type_s

microsoft.streamanalytics 的查詢

列出所有輸入數據錯誤

顯示處理輸入數據時發生的所有錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics 
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type == "DataError" 
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

列出所有輸入還原串行化錯誤

顯示因作業無法還原串行化之格式錯誤所造成的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType in ("InputDeserializerError.InvalidData", "InputDeserializerError.TypeConversionError", "InputDeserializerError.MissingColumns", "InputDeserializerError.InvalidHeader", "InputDeserializerError.InvalidCompressionType")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

列出所有 InvalidInputTimeStamp 錯誤

顯示因 TIMESTAMP BY 表達式的值無法轉換成 datetime 的事件所造成的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and  parse_json(properties_s).DataErrorType == "InvalidInputTimeStamp"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

列出所有 InvalidInputTimeStampKey 錯誤

顯示因 TIMESTAMP BY OVER timestampColumn 值為 NULL 的事件所造成的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and  parse_json(properties_s).DataErrorType == "InvalidInputTimeStampKey"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

延遲抵達的事件

顯示錯誤，因為應用程式時間和抵達時間之間的差異大於延遲抵達原則的事件。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and  parse_json(properties_s).DataErrorType == "LateInputEvent"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

提早抵達的事件

顯示錯誤，因為應用程式時間與抵達時間之間的差異大於 5 分鐘的事件。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "EarlyInputEvent"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

已依序抵達的事件

根據順序錯亂原則顯示因事件而抵達順序錯亂的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutOfOrderEvent"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

所有輸出數據錯誤

顯示將查詢結果寫入作業輸出時所發生的所有錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType in ("OutputDataConversionError.RequiredColumnMissing", "OutputDataConversionError.ColumnNameInvalid", "OutputDataConversionError.TypeConversionError", "OutputDataConversionError.RecordExceededSizeLimit", "OutputDataConversionError.DuplicateKey")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

列出所有 RequiredColumnMissing 錯誤

顯示作業所產生的輸出記錄有遺漏數據行的所有錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.RequiredColumnMissing"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

列出所有 ColumnNameInvalid 錯誤

顯示作業所產生的輸出記錄有數據行名稱未對應至輸出中數據行的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.ColumnNameInvalid"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

列出所有 TypeConversionError 錯誤

顯示作業所產生的輸出記錄有資料行無法轉換成輸出中有效類型的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.TypeConversionError"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

列出所有 RecordExceededSizeLimit 錯誤

顯示作業所產生的輸出記錄大小大於支援的輸出大小的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and  parse_json(properties_s).DataErrorType == "OutputDataConversionError.RecordExceededSizeLimit"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

列出所有 DuplicateKey 錯誤

顯示作業所產生的輸出記錄包含與系統數據行同名的數據行的錯誤。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).DataErrorType == "OutputDataConversionError.DuplicateKey"
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

層級為「錯誤」的所有記錄

顯示可能對作業造成負面影響的所有記錄。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and Level == "Error" 
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

具有「失敗」的作業

顯示作業上導致失敗的所有作業。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and status_s == "Failed" 
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

Cosmos DB、Power BI、事件中樞 (輸出節流記錄)

顯示寫入至其中一個輸出的所有實例已由目的地服務節流處理。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type in ("DocumentDbOutputAdapterWriteThrottlingError", "EventHubOutputAdapterEventHubThrottlingError", "PowerBIServiceThrottlingError", "PowerBIServiceThrottlingError")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

暫時性輸入和輸出錯誤

顯示與輸入和輸出相關的所有錯誤，這些錯誤本質上是間歇性的。

// To create an alert for this query, click '+ New alert rule'
AzureDiagnostics
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type in ("AzureFunctionOutputAdapterTransientError", "BlobInputAdapterTransientError", "DataLakeOutputAdapterTransientError", "DocumentDbOutputAdapterTransientError", "EdgeHubOutputAdapterEdgeHubTransientError", "EventHubBasedInputInvalidOperationTransientError", "EventHubBasedInputOperationCanceledTransientError", "EventHubBasedInputTimeoutTransientError", "EventHubBasedInputTransientError", "EventHubOutputAdapterEventHubTransientError", "InputProcessorTransientFailure", "OutputProcessorTransientError", "ReferenceDataInputAdapterTransientError", "ServiceBusOutputAdapterTransientError", "TableOutputAdapterTransientError")
| project TimeGenerated, Resource, Region_s, OperationName, properties_s, Level, _ResourceId

過去 7 天內所有資料錯誤的摘要

過去 7 天內所有資料錯誤的摘要。

AzureDiagnostics
| where TimeGenerated > ago(7d) //last 7 days
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and parse_json(properties_s).Type == "DataError"
| extend DataErrorType = tostring(parse_json(properties_s).DataErrorType)
| summarize Count=count(), sampleEvent=any(properties_s)  by DataErrorType, JobName=Resource

過去 7 天內所有錯誤的摘要

過去 7 天內所有錯誤的摘要。

AzureDiagnostics
| where TimeGenerated > ago(7d) //last 7 days
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS"
| extend ErrorType = tostring(parse_json(properties_s).Type)
| summarize Count=count(), sampleEvent=any(properties_s)  by ErrorType, JobName=Resource

過去 7 天內「失敗」作業的摘要

過去 7 天內的「失敗」作業摘要。

AzureDiagnostics
| where TimeGenerated > ago(7d) //last 7 days
| where ResourceProvider == "MICROSOFT.STREAMANALYTICS" and status_s == "Failed" 
| summarize Count=count(), sampleEvent=any(properties_s) by JobName=Resource

共用方式為

AzureDiagnostics 數據表的查詢

microsoft.automation 的查詢

自動化作業中的錯誤

尋找過去一天自動化作業中報告錯誤的記錄

Azure 自動化 失敗、暫停或停止的作業

Runbook 已順利完成，發生錯誤

檢視歷史工作狀態

已完成 Azure 自動化作業

microsoft.batch 的查詢

每個作業的成功工作

每個作業失敗的工作

任務工期

集區重設大小

集區重設大小失敗

microsoft.cdn 的查詢

[Microsoft CDN (傳統) ]每小時的要求數

[Microsoft CDN (傳統) ]依 URL 的流量

[Microsoft CDN (傳統) ] 依 URL 的 4XX 錯誤率

[Microsoft CDN (傳統) ]依使用者代理程式要求錯誤

[Microsoft CDN (傳統) ]前 10 個 URL 要求計數

[Microsoft CDN (傳統) ]唯一IP要求計數

[Microsoft CDN (傳統) ]前10名用戶端IP和 HTTP 版本

[Azure Front Door Standard/Premium]依IP和規則封鎖的前20名用戶端

[Azure Front Door Standard/Premium]依路由傳送至來源的要求

[Azure Front Door Standard/Premium]依使用者代理程式要求錯誤

[Azure Front Door Standard/Premium]前10名用戶端IP和 HTTP版本

[Azure Front Door Standard/Premium]依主機和路徑要求錯誤

[Azure Front Door Standard/Premium]每小時防火牆封鎖的要求計數

[Azure Front Door Standard/Premium]依主機、路徑、規則和動作的防火牆要求計數

[Azure Front Door Standard/Premium]每小時的要求數

[Azure Front Door Standard/Premium]前 10 個 URL 要求計數

[Azure Front Door Standard/Premium]前 10 個 URL 要求計數

[Azure Front Door Standard/Premium]唯一IP要求計數

microsoft.containerservice 的查詢

在 AzureDiagnostics 中尋找

microsoft.dbformariadb 的查詢

運行時間超過臨界值

顯示最慢的查詢

顯示查詢的統計數據

檢閱 GENERAL 類別中的稽核記錄事件

檢閱 CONNECTION 類別中的稽核記錄事件

microsoft.dbformysql 的查詢

運行時間超過臨界值

顯示最慢的查詢

顯示查詢的統計數據

檢閱 GENERAL 類別中的稽核記錄事件

檢閱 CONNECTION 類別中的稽核記錄事件

microsoft.dbforpostgresql 的查詢

自動數據清理事件

伺服器重新啟動

尋找錯誤

未經授權的連線

死結

鎖定爭用

稽核記錄

數據表 () 和事件類型的稽核記錄 (s)

運行時間超過閾值的查詢

最慢的查詢

查詢統計資料

執行計數趨勢

前幾名等候事件

等候事件趨勢

microsoft.devices 的查詢

Connectvity 錯誤

大部分節流錯誤的裝置

無效端點

錯誤摘要

最近連線的裝置

裝置的 SDK 版本

microsoft.documentdb 的查詢

過去24小時內已取用的 RU/秒

過去24小時內具有節流 (429) 的集合

過去 24 小時內已取用的要求單位 (RU) 的熱門作業

依記憶體排序的前幾個邏輯分割區索引鍵

microsoft.eventhub 的查詢

[傳統]擷取失敗的持續時間

[傳統]加入用戶端的要求

[傳統]keyvault 的存取權 - 找不到金鑰

[傳統]使用keyvault執行的作業

Azure 自動化失敗、暫停或停止的作業

Azure 防火牆記錄數據