Azure Portal에서 이러한 쿼리를 사용하는 방법에 대한 자세한 내용은 Log Analytics 자습서를 참조하세요. REST API는 쿼리를 참조 하세요.
상위 토커 가져오기
정의된 기간 동안 상위 10개 토커를 나열합니다.
let startTime = ago(2h);
let endTime = ago(1h);
let num_toptalkers = 10; // Amount of top talker 5Tuples. Change this value to display a different number of items
let tuple = "5";
let ipfixData = ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 3tuple = strcat("SrcIP:", SourceIp, " DestIP:", DestinationIp, " Protocol:", Protocol),
5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096 // Calculation to determine amount of circuit bandwidth used. This adds the number of payload bytes to the number of header bytes, then multiplies by 4096, the sampling rate used by ERTC
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, 3tuple, Flowsequence
| extend tuple = iff(tuple == "3", 3tuple, 5tuple);
let topTalkersBy3Tuple = ipfixData
| summarize sum(TotalBytes) by tuple
| order by sum_TotalBytes desc
| take num_toptalkers; // 10 top talkers
topTalkersBy3Tuple
| join kind=inner (
ipfixData
| summarize sum(TotalBytes) by bin(FlowRecordTime, 5m), tuple
) on $left.tuple == $right.tuple
| extend TotalBytes = sum_TotalBytes1
| project-away sum_TotalBytes, sum_TotalBytes1, tuple1
| render columnchart with(kind=unstacked)
원본 및 대상 포트별 상위 토커 가져오기
정의된 기간 동안 원본 및 대상 포트를 기준으로 상위 토커 10개 나열
let startTime = ago(2h);
let endTime = ago(1h);
let num_toptalkers = 10;
let portType = "Source"; // Change to "Dest" for destination port based query
let data = ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096 // Calculation to determine amount of circuit bandwidth used. This adds the number of payload bytes to the number of header bytes, then multiplies by 4096, the sampling rate used by ERTC
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, SourcePort, DestinationPort, Flowsequence
| extend port = iff(portType == "Source", SourcePort, DestinationPort);
let topTalkers = data
| summarize sum(TotalBytes) by port // Find top talkers port
| order by sum_TotalBytes desc
| take num_toptalkers; // 10 top talkers
topTalkers
| join kind=inner (
data
| summarize sum(TotalBytes) by bin(FlowRecordTime, 5m), port
) on $left.port == $right.port
| extend TotalBytes = sum_TotalBytes1, Port = strcat("Port:", port1)
| project-away sum_TotalBytes, sum_TotalBytes1, port, port1
| render columnchart with(kind=unstacked)
총 대역폭 사용량 가져오기
지정된 시간 범위 동안 사용된 총 대역폭에 대한 보고서를 가져옵니다.
let startTime = ago(2h);
let endTime = ago(1h);
ATCExpressRouteCircuitIpfix
| where FlowRecordTime >= startTime and FlowRecordTime <= endTime
| extend 5tuple = strcat("SrcIP:", SourceIp, " SourcePort:", SourcePort, " DestIP:", DestinationIp, " DestPort:", DestinationPort, " Protocol:", Protocol),
TotalBytes = (NumberOfBytes + (14 * NumberOfPackets)) * 4096
| summarize hint.strategy=shuffle arg_max(FlowRecordTime, *) by 5tuple, TotalBytes, Flowsequence
| summarize sum(TotalBytes) by bin(FlowRecordTime, 1m)
| extend TotalGB = toint(sum_TotalBytes / 1024 / 1024 / 1024) // Converting bytes to gigabytes
| project-away sum_TotalBytes
| render columnchart