英文:
How to find list of all resources created in the last month in Azure using KQL and Log analytics?
问题
我想要获取我 Azure 订阅中上个月创建的所有新资源的列表,我一直试图通过日志分析来获取,但我遇到了问题,不知道在 Azure 中需要精确定位哪个具体操作来查找资源创建。我对 AzureActivity 表中的 OperationNameValue 列应该使用哪个值感到困惑。
当我在探索 Azure Monitor 和日志分析时,我发现在创建资源时,OperationNameValue 的值是 "Microsoft.Resource/Deployments/Write"。这是否是要关注的正确 OperationNameValue?因为当创建新存储帐户时,我在日志中找不到相同的值。此外,在活动日志中,有些条目的 OperationNameValue 是 "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE",而在某些条目中则是 "Microsoft.Resource/Deployments/Write"。这两者之间有什么区别?
我是 Azure 的新手,只有几个月的经验,所以我在这方面仍然有很多知识空白,但我确实需要尽快找到答案,所以非常感谢任何见解或帮助。
以下是我为参考而制定的查询:
AzureActivity
| where TimeGenerated between (startofday(ago(30d)) ..startofday(now()) )
| where OperationNameValue == "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE"
| parse tolower(_ResourceId) with "/subscriptions/" subscriptionId "/resourcegroups/" resourceGroup "/providers/" provider "/" resourceType "/" resourceName
| where ActivityStatusValue == "Success"
| project TimeGenerated, OperationNameValue, ActivityStatusValue, Caller, resourceName, ResourceGroup
| order by TimeGenerated desc
英文:
I want to get a list of all new resources created in my azure subscription in the last month, I have been trying to get it through Log analytics, but I am having problems as to which specific operation I need to pinpoint on for resource creation in Azure. I am confused about what value in the OperationNameValue column should I use in the AzureActivity table.
When I was exploring Azure Monitor and Log analytics, I found that on creating a resource, The OperationNameValue is coming as "Microsoft.Resource/Deployments/Write". Is this the correct OperationNameValue to focus on? Because I cant find the same in the logs when a new storage account was created. Also, in the activity logs, there are some entries where the OperationNameValue is "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE" and in some entries its "Microsoft.Resource/Deployments/Write". What is the difference between the two?
I'm new to azure with only a few months of experience so I still have quite a few knowledge gaps in this, but I really need to find this out quickly so any insight or help would be greatly appreciated.
Here is the query I have made for reference
AzureActivity
| where TimeGenerated between (startofday(ago(30d)) ..startofday(now()) )
|where OperationNameValue == "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE"
| parse tolower(\_ResourceId) with "/subscriptions/" subscriptionId "/resourcegroups/"
resourceGroup "/providers/" provider "/" resourceType "/" resourceName
|where ActivityStatusValue == "Success"
|project TimeGenerated,OperationNameValue,ActivityStatusValue,Caller,resourceName,ResourceGroup
|order by TimeGenerated desc
答案1
得分: 0
> 有一些条目中,OperationNameValue 是 "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE",而在一些条目中是 "Microsoft.Resource/Deployments/Write"。这两者之间有什么区别?
这两者之间没有太大的区别。在查询 Azure 活动日志时,由于某些操作的大小写敏感性,它们可能会显示为 "Microsoft.Resource/Deployments/Write"。
我尝试了与您相同的查询,它检索了所有操作名称值为 "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE" 的结果。
但为了处理这种不一致的行为,您可以使用 tolower() 将操作名称转换为小写进行比较,以避免冲突。
英文:
> There are some entries where the OperationNameValue is "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE" and in some entries its "Microsoft.Resource/Deployments/Write". What is the difference between the two?
There is not much difference between two. Due to case sensitivity of few operations while querying the Azure activity logs it may appear as "Microsoft.Resource/Deployments/Write".
I tried the same query as you and it retrieved all the results with the Operation Name value as "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE".
AzureActivity
|where OperationNameValue == "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE"
| parse tolower(_ResourceId) with "/subscriptions/" subscriptionId "/resourcegroups/"
resourceGroup "/providers/" provider "/" resourceType "/" resourceName
|where ActivityStatusValue == "Success"
|project TimeGenerated,OperationNameValue,ActivityStatusValue,Caller,resourceName,ResourceGroup
|order by TimeGenerated desc
But to deal with this inconsistent behavior, you can use tolower() to change the operation name to lowercase for comparison to avoid any conflicts.
AzureActivity
|where tolower(OperationNameValue) == "MICROSOFT.RESOURCES/DEPLOYMENTS/WRITE"
| parse tolower(_ResourceId) with "/subscriptions/" subscriptionId "/resourcegroups/"
resourceGroup "/providers/" provider "/" resourceType "/" resourceName
|where ActivityStatusValue == "Success"
|project TimeGenerated,OperationNameValue,ActivityStatusValue,Caller,resourceName,ResourceGroup
|order by TimeGenerated desc
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论