你当前正在访问 Microsoft Azure Global Edition 技术文档网站。如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站，请访问 https://docs.azure.cn。

对 OEPDataplaneLogs 表的查询

2025-04-21

有关在 Azure 门户中使用这些查询的信息，请参阅 Log Analytics 教程。有关 REST API，请参阅查询。

可视化错误响应代码

按 HTTP 响应代码对日志消息进行分类，筛选出没有响应代码的日志，并汇总了指定时间粒度内每个响应代码的计数。然后，它呈现用于可视化的柱形图。

OEPDataplaneLogs
// Categorize messages based on HTTP response codes
| extend ResponseCode = case(
    Message has_any ("Status=500", "Internal Server Error"), "500",
    Message has_any ("Status=401", "Unauthorized"), "401",
    Message has_any ("Status=403", "Forbidden"), "403",
    Message has_any ("Status=429", "RequestBodyTooLarge"), "429",
    ""
)
// Filter out logs without a response code
| where ResponseCode != ""
// Summarize the count of each response code over a specified time range
| summarize Count = count() by bin(TimeGenerated, 5m), ResponseCode
// Render a column chart for visualization
| render columnchart

分析存储日志中的用户活动

提取 UserId 值，筛选日志以仅包含具有 UserId 且属于 StorageLogs 类别的日志，并检查特定的 HTTP 方法。然后，它汇总了每个用户按天间隔的日志计数，并以饼图形式呈现。

OEPDataplaneLogs
// Extract UserId from the Message field using a regular expression
| extend UserId = extract(@"user-id=([a-zA-Z0-9_-@.]+)", 1, Message)
// Filter out logs without a UserId
| where UserId != ""
// Filter logs to include only those in the "StorageLogs" category
| where Category == "StorageLogs"
// Filter logs to include only those with specific HTTP methods
| where Message has_any (  
  "GET",
  "POST",
  "PUT",
  "DELETE",
  "PATCH",
  "HEAD",
  "OPTIONS" 
)
// Summarize the count of logs per user over daily intervals
| summarize Count = count() by bin(TimeGenerated, 1d), UserId
// Render a pie chart for visualization
| render piechart

按 OSDU 服务对日志进行分类

此 KQL 查询汇总了过去 24 小时内按类别列出的日志计数，并呈现用于可视化效果的饼图。

OEPDataplaneLogs
// Summarize the count of logs by category over the last day
| summarize Count = count() by bin(TimeGenerated, 1d), Category
// Render a pie chart for visualization
| render piechart

可视化用户活动

提取 UserId 值，筛选出没有 UserId 的日志，并汇总过去 24 小时内每个用户的日志计数。呈现饼图以可视化用户活动。

OEPDataplaneLogs
// Extract UserId from the Message field using a regular expression
| extend UserId = extract(@"user-id=([a-zA-Z0-9_-@.]+)", 1, Message)
// Filter out logs without a UserId
| where UserId != ""
// Summarize the count of logs per user over the last day
| summarize Count = count() by bin(TimeGenerated, 1d), UserId
// Render a pie chart to visualize user activity
| render piechart

可视化最近活动

将日志筛选到过去 30 分钟，按 HTTP 响应代码对日志进行分类，并计算日志和错误的总数。然后，它会以 15 秒的间隔汇总这些计数，并呈现用于可视化分析的时间表。

OEPDataplaneLogs
// Filter logs to the last 30 minutes
| where TimeGenerated >= ago(30m)
// | extend UserId = extract(@"user-id=([a-zA-Z0-9_-@.]+)", 1, Message) // Uncomment if you want to only display user actions
// | where notempty(UserId) //// Uncomment if you want to only display user actions
// Categorize messages based on HTTP response codes
| extend ResponseCode = case(
    Message has_any ("Status=500", "Internal Server Error"), "500",
    Message has_any ("Status=401", "Unauthorized"), "401",
    Message has_any ("Status=403", "Forbidden"), "403",
    Message has_any ("Status=429", "RequestBodyTooLarge"), "429",
    ""
)
// Mark entries as errors if they match specific response codes
| extend ErrorCount = ResponseCode has_any ("500", "401", "403", "429")
// Summarize total logs and errors in 15-second intervals
| summarize Total = count(), Errors = count(ErrorCount) by bin(TimeGenerated, 15s)
// Render a timechart for visual analysis
| render timechart with (ysplit=axes)

确保存在相关 ID

确保每个日志条目都有 CorrelationId。如果缺少 CorrelationId，它将使用正则表达式从 Message 字段中提取值。

OEPDataplaneLogs
// Ensure each log entry has a CorrelationId by using the existing one or extracting it from the Message field
| extend CorrelationId = iff(notempty(CorrelationId), CorrelationId, extract(@"correlation-id=([a-zA-Z0-9_-]+)", 1, Message))

提取和分类 HTTP 响应代码

根据 HTTP 响应代码对日志消息进行分类。它使用名为 ResponseCode 的新列扩展日志数据，并仅显示相关字段。

OEPDataplaneLogs
// Define ResponseCodes based on Message content and extends into a separate column.
| extend ResponseCode = case(
    Message has_any ("Status=500", "Internal Server Error"), "500",  // Internal Server Error
    Message has_any ("Status=401", "Unauthorized"), "401",           // Unauthorized Access
    Message has_any ("Status=403", "Forbidden"), "403",              // Forbidden Access
    Message has_any ("Status=429", "RequestBodyTooLarge"), "429",    // Request Body Too Large
    Message has_any ("Status=200", "200 OK"), "200",                 // Successful Request
    Message has "Status=201", "201",                                 // Resource Created
    ""                                                               // Default case if no match
)
//
// Displays only relevant columns
//
| project TimeGenerated, Category, Message, LogLevel, CorrelationId, ResponseCode

通过