Azure 日志分析严重性级别为字符串答案

【问题标题】：Azure log analytics severity level as stringAzure 日志分析严重性级别为字符串
【发布时间】：2022-10-17 08:13:33
【问题描述】：

目前在 Azure 应用程序洞察力中，我们在 severityLevel 下看到严重级别的编号，而不是信息、错误等文本......是否可以将 severityLevel 显示为字符串。

"Serilog": {
"Using": [
    "Serilog.Sinks.ApplicationInsights"
],
"MinimumLevel": {
    "Default": "Debug",
    "Override": {
        "Microsoft": "Information"
    }
},
"WriteTo": [
    {
        "Name": "ApplicationInsights",
        "Args": {
            "restrictedToMinimumLevel": "Information",
            "telemetryConverter": "Serilog.Sinks.ApplicationInsights.Sinks.ApplicationInsights.TelemetryConverters.TraceTelemetryConverter, Serilog.Sinks.ApplicationInsights",
            "instrumentationKey": "key"
        }
    }
],
"Enrich": [
    "FromLogContext"
],
"Properties": {
    "Application": "Sample"
}
}

【问题讨论】：

Azure 门户将始终将其显示为数字。我唯一能想到的是将文本表示记录为自定义属性或使用基于文本的值扩展您的 kusto 查询。
嗨，彼得感谢您的回复。使用基于文本的值扩展 kusto 查询会是什么样子？
请看下面我的回答

标签： azure azure-application-insights kql azure-log-analytics

【解决方案1】：

特设函数，使用let 语句

// Sample generation. Not part of the solution
let traces = materialize(range i from 1 to 10 step 1 | project severityLevel = toint(rand(5)), Timestamp = ago(rand()*1d));
// Solution starts here
let getSeverityDescription = (severityLevel:int)
{
    dynamic(["Verbose", "Information", "Warning", "Error", "Critical"])[severityLevel]
};
traces
| extend SeverityDescription = getSeverityDescription(severityLevel)

severityLevel	Timestamp	SeverityDescription
3	2022-06-29T11:56:30.3936027Z	Error
4	2022-06-29T15:08:45.0941469Z	Critical
4	2022-06-30T03:02:29.1658275Z	Critical
1	2022-06-30T03:29:22.4724933Z	Information
0	2022-06-30T04:01:15.7748102Z	Verbose
0	2022-06-30T04:37:39.740977Z	Verbose
2	2022-06-30T05:13:04.734582Z	Warning
2	2022-06-30T07:32:01.9569582Z	Warning
2	2022-06-30T07:41:46.3364296Z	Warning
1	2022-06-30T09:42:22.5852665Z	Information

Fiddle

【讨论】：

【解决方案2】：

严重级别是一个枚举，参见the docs：

关键 4
关键严重性级别。

错误 3
错误严重性级别。

资料1
信息严重性级别。

详细 0
详细严重性级别。

警告 2
警告严重性级别。

我们可以使用它来创建一个 kusto 查询：

let severities = datatable(severityLevel:int, severity:string)
[
   0, "Verbose",
   1, "Information",
   2, "Warning",
   3, "Error",
   4, "Critical",
];
traces
| join severities on severityLevel
| project timestamp, message, severity

【讨论】：

【解决方案3】：

痕迹 |扩展 LoggedDate =timestamp, TracingCorrelationId = customDimensions['prop__TracingCorrelationId'], SeverityLevel = case(severityLevel == 1, "Information",severityLevel == 2, "Warning",severityLevel == 3, "Error", tostring(severityLevel)) , Source = tostring(customDimensions['prop__Source']), Message= customDimensions['prop__Message'], FromDate=ago(30d) |其中（时间戳 >= FromDate）和严重程度在 (1,2,3) | project-away message, operation_Id,customMeasurements,user_AccountId,user_AuthenticatedId, user_Id,sdkVersion,itemType,itemId,itemCount, operation_Name,client_IP, operation_ParentId, iKey, operation_SyntheticSource,cloud_RoleInstance,appId,appName,session_Id, application_Version,client_Browser,client_Model,client_City,client_StateOrProvince ,client_Type,cloud_RoleName,client_OS,client_CountryOrRegion,customDimensions,_ResourceId,severityLevel,timestamp

【讨论】：