Consultas de exemplo do Azure Resource Graph para o Azure Monitor
Esta página é uma coleção de consultas de exemplo do Azure Resource Graph para o Azure Monitor.
Azure Monitor
Visão geral dos alertas do Azure Monitor
Esta consulta de exemplo obtém todos os alertas do Azure Monitor que foram acionados nas últimas 12 horas e extrai propriedades comumente usadas.
alertsmanagementresources
| where properties.essentials.startDateTime > ago(12h)
| project
alertId = id,
name,
monitorCondition = tostring(properties.essentials.monitorCondition),
severity = tostring(properties.essentials.severity),
monitorService = tostring(properties.essentials.monitorService),
alertState = tostring(properties.essentials.alertState),
targetResourceType = tostring(properties.essentials.targetResourceType),
targetResource = tostring(properties.essentials.targetResource),
subscriptionId,
startDateTime = todatetime(properties.essentials.startDateTime),
lastModifiedDateTime = todatetime(properties.essentials.lastModifiedDateTime),
dimensions = properties.context.context.condition.allOf[0].dimensions, properties
az graph query -q "alertsmanagementresources | where properties.essentials.startDateTime > ago(12h) | project alertId = id, name, monitorCondition = tostring(properties.essentials.monitorCondition), severity = tostring(properties.essentials.severity), monitorService = tostring(properties.essentials.monitorService), alertState = tostring(properties.essentials.alertState), targetResourceType = tostring(properties.essentials.targetResourceType), targetResource = tostring(properties.essentials.targetResource), subscriptionId, startDateTime = todatetime(properties.essentials.startDateTime), lastModifiedDateTime = todatetime(properties.essentials.lastModifiedDateTime), dimensions = properties.context.context.condition.allOf[0].dimensions, properties"
Exibir alertas recentes do Azure Monitor enriquecidos com marcas de recurso
Esta consulta de exemplo obtém todos os alertas do Azure Monitor que foram acionados nas últimas 12 horas, extrai as propriedades comumente usadas e adiciona as marcas do recurso de destino.
alertsmanagementresources
| where properties.essentials.startDateTime > ago(12h)
| where tostring(properties.essentials.monitorService) <> "ActivityLog Administrative"
| project // converting extracted fields to string / datetime to allow grouping
alertId = id,
name,
monitorCondition = tostring(properties.essentials.monitorCondition),
severity = tostring(properties.essentials.severity),
monitorService = tostring(properties.essentials.monitorService),
alertState = tostring(properties.essentials.alertState),
targetResourceType = tostring(properties.essentials.targetResourceType),
targetResource = tostring(properties.essentials.targetResource),
subscriptionId,
startDateTime = todatetime(properties.essentials.startDateTime),
lastModifiedDateTime = todatetime(properties.essentials.lastModifiedDateTime),
dimensions = properties.context.context.condition.allOf[0].dimensions, // usefor metric alerts and log search alerts
properties
| extend targetResource = tolower(targetResource)
| join kind=leftouter
( resources | project targetResource = tolower(id), targetResourceTags = tags) on targetResource
| project-away targetResource1
az graph query -q "alertsmanagementresources | where properties.essentials.startDateTime > ago(12h) | where tostring(properties.essentials.monitorService) <> "ActivityLog Administrative" | project // converting extracted fields to string / datetime to allow grouping alertId = id, name, monitorCondition = tostring(properties.essentials.monitorCondition), severity = tostring(properties.essentials.severity), monitorService = tostring(properties.essentials.monitorService), alertState = tostring(properties.essentials.alertState), targetResourceType = tostring(properties.essentials.targetResourceType), targetResource = tostring(properties.essentials.targetResource), subscriptionId, startDateTime = todatetime(properties.essentials.startDateTime), lastModifiedDateTime = todatetime(properties.essentials.lastModifiedDateTime), dimensions = properties.context.context.condition.allOf[0].dimensions, // usefor metric alerts and log search alerts properties | extend targetResource = tolower(targetResource) | join kind=leftouter ( resources | project targetResource = tolower(id), targetResourceTags = tags) on targetResource | project-away targetResource1"
Listar todos os clusters Kubernetes habilitados para Azure Arc com a extensão do Azure Monitor
Retorna a ID do cluster conectado de cada cluster Kubernetes habilitado para Azure Arc que tem a extensão do Azure Monitor instalada.
KubernetesConfigurationResources
| where type == 'microsoft.kubernetesconfiguration/extensions'
| where properties.ExtensionType == 'microsoft.azuremonitor.containers'
| parse id with connectedClusterId '/providers/Microsoft.KubernetesConfiguration/Extensions' *
| project connectedClusterId
az graph query -q "KubernetesConfigurationResources | where type == 'microsoft.kubernetesconfiguration/extensions' | where properties.ExtensionType == 'microsoft.azuremonitor.containers' | parse id with connectedClusterId '/providers/Microsoft.KubernetesConfiguration/Extensions' * | project connectedClusterId"
Listar todos os clusters Kubernetes habilitados para Azure Arc sem a extensão do Azure Monitor
Retorna a ID do cluster conectado de cada cluster Kubernetes habilitado para Azure Arc que não tem a extensão do Azure Monitor.
Resources
| where type =~ 'Microsoft.Kubernetes/connectedClusters' | extend connectedClusterId = tolower(id) | project connectedClusterId
| join kind = leftouter
(KubernetesConfigurationResources
| where type == 'microsoft.kubernetesconfiguration/extensions'
| where properties.ExtensionType == 'microsoft.azuremonitor.containers'
| parse tolower(id) with connectedClusterId '/providers/microsoft.kubernetesconfiguration/extensions' *
| project connectedClusterId
) on connectedClusterId
| where connectedClusterId1 == ''
| project connectedClusterId
az graph query -q "Resources | where type =~ 'Microsoft.Kubernetes/connectedClusters' | extend connectedClusterId = tolower(id) | project connectedClusterId | join kind = leftouter (KubernetesConfigurationResources | where type == 'microsoft.kubernetesconfiguration/extensions' | where properties.ExtensionType == 'microsoft.azuremonitor.containers' | parse tolower(id) with connectedClusterId '/providers/microsoft.kubernetesconfiguration/extensions' * | project connectedClusterId ) on connectedClusterId | where connectedClusterId1 == '' | project connectedClusterId"
Retorna todos os alertas do Azure Monitor em uma assinatura no último dia
{
"subscriptions": [
<subscriptionId>
],
"query": "alertsmanagementresources | where properties.essentials.lastModifiedDateTime > ago(1d) | project alertInstanceId = id, parentRuleId = tolower(tostring(properties['essentials']['alertRule'])), sourceId = properties['essentials']['sourceCreatedId'], alertName = name, severity = properties.essentials.severity, status = properties.essentials.monitorCondition, state = properties.essentials.alertState, affectedResource = properties.essentials.targetResourceName, monitorService = properties.essentials.monitorService, signalType = properties.essentials.signalType, firedTime = properties['essentials']['startDateTime'], lastModifiedDate = properties.essentials.lastModifiedDateTime, lastModifiedBy = properties.essentials.lastModifiedUserName"
}
Próximas etapas
- Saiba mais sobre a linguagem de consulta.
- Saiba mais sobre como explorar recursos.