如何在 Log Analytics 中获取具有不同 parameterxml 值的事件?
How do I get an event in Log Analytics with different parameterxml values?
首先,希望您能正确理解我的问题。
在 Log Analytics 中,我有一个这样的查询:
Event
| where EventID == 7036 and Computer == "testSQLServer"
and ParameterXml == "<Param>SQL Server (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
此查询有效,现在我想获得适合 "EventID" 和 "Computer" 以及 "ParameterXml" 条目池之一的结果。
具体来说,这个池包含 5 "ParameterXml" 行:
ParameterXml == "<Param>SQL Server (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
ParameterXml == "<Param>SQL Server Agent (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
ParameterXml == "<Param>SQL Server Integration Services 13.0</Param><Param>stopped</Param><Param>-</Param>"
ParameterXml == "<Param>SQL Server Analysis Services (MULTIDIM)</Param><Param>stopped</Param><Param>-</Param>"
那么如何使用 "EventID" 和 "Computer" 以及其中之一 "ParameterXml" 获得结果?如果所有 "ParameterXml" 适合或其他 "ParameterXml"(来自其他服务)适合搜索,我不想获得结果。
我尝试了 "AND" 和 "OR" 的不同方式,但我不明白。
你有什么想法吗?提前致谢!
好的,我向朋友求助了。我必须再添加一个 "where" 运算符,所以正确的查询是:
Event
| where EventID == 7036 and Computer == "testSQLServer"
| where ParameterXml == "<Param>SQL Server (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
or ParameterXml == "<Param>SQL Server Agent (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
or ParameterXml == "<Param>SQL Server Integration Services 13.0</Param><Param>stopped</Param><Param>-</Param>"
or ParameterXml == "<Param>SQL Server Analysis Services (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
祝您监控愉快!
更优雅的方法是使用运算符 "in" 而不是 "or",如下所示:
Event
| where EventID == 7036 and Computer == "testSQLServer"
| where ParameterXml in ("<Param>SQL Server (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>",
"<Param>SQL Server Agent (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>",
"<Param>SQL Server Integration Services 13.0</Param><Param>stopped</Param><Param>-</Param>",
"<Param>SQL Server Analysis Services (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>")
首先,希望您能正确理解我的问题。 在 Log Analytics 中,我有一个这样的查询:
Event
| where EventID == 7036 and Computer == "testSQLServer"
and ParameterXml == "<Param>SQL Server (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
此查询有效,现在我想获得适合 "EventID" 和 "Computer" 以及 "ParameterXml" 条目池之一的结果。
具体来说,这个池包含 5 "ParameterXml" 行:
ParameterXml == "<Param>SQL Server (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
ParameterXml == "<Param>SQL Server Agent (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
ParameterXml == "<Param>SQL Server Integration Services 13.0</Param><Param>stopped</Param><Param>-</Param>"
ParameterXml == "<Param>SQL Server Analysis Services (MULTIDIM)</Param><Param>stopped</Param><Param>-</Param>"
那么如何使用 "EventID" 和 "Computer" 以及其中之一 "ParameterXml" 获得结果?如果所有 "ParameterXml" 适合或其他 "ParameterXml"(来自其他服务)适合搜索,我不想获得结果。
我尝试了 "AND" 和 "OR" 的不同方式,但我不明白。
你有什么想法吗?提前致谢!
好的,我向朋友求助了。我必须再添加一个 "where" 运算符,所以正确的查询是:
Event
| where EventID == 7036 and Computer == "testSQLServer"
| where ParameterXml == "<Param>SQL Server (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
or ParameterXml == "<Param>SQL Server Agent (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
or ParameterXml == "<Param>SQL Server Integration Services 13.0</Param><Param>stopped</Param><Param>-</Param>"
or ParameterXml == "<Param>SQL Server Analysis Services (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>"
祝您监控愉快!
更优雅的方法是使用运算符 "in" 而不是 "or",如下所示:
Event
| where EventID == 7036 and Computer == "testSQLServer"
| where ParameterXml in ("<Param>SQL Server (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>",
"<Param>SQL Server Agent (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>",
"<Param>SQL Server Integration Services 13.0</Param><Param>stopped</Param><Param>-</Param>",
"<Param>SQL Server Analysis Services (MSSQLSERVER)</Param><Param>stopped</Param><Param>-</Param>")