通过

你当前正在访问 Microsoft Azure Global Edition 技术文档网站。 如果需要访问由世纪互联运营的 Microsoft Azure 中国技术文档网站,请访问 https://docs.azure.cn

了解 Azure Resource Graph 查询语言

Azure Resource Graph 查询语言支持多个运算符和函数。 每个运算符和函数的工作原理和操作方式基于 Kusto 查询语言 (KQL)。 若要了解 Resource Graph 使用的查询语言,请从 KQL 教程开始。

本文介绍 Resource Graph 支持的语言组件:

Resource Graph 表

Resource Graph 为其存储的有关 Azure 资源管理器资源类型及其属性的数据提供多个表。 Resource Graph 表可以与 join 运算符一起使用,以从相关资源类型获取属性。

Resource Graph 表支持 join 风格:

Resource Graph 表 与其他表之间可否执行 join Description
AdvisorResources Yes Includes resources related to Microsoft.Advisor.
AlertsManagementResources Yes Includes resources related to Microsoft.AlertsManagement.
AppServiceResources Yes Includes resources related to Microsoft.Web.
AuthorizationResources Yes Includes resources related to Microsoft.Authorization.
AWSResources Yes Includes resources related to Microsoft.AwsConnector.
AzureBusinessContinuityResources Yes Includes resources related to Microsoft.AzureBusinessContinuity.
ChaosResources Yes Includes resources related to Microsoft.Chaos.
CommunityGalleryResources Yes Includes resources related to Microsoft.Compute.
ComputeResources Yes 包括与 Microsoft.Compute 虚拟机规模集相关的资源。
DesktopVirtualizationResources Yes Includes resources related to Microsoft.DesktopVirtualization.
DnsResources Yes Includes resources related to Microsoft.Network.
EdgeOrderResources Yes Includes resources related to Microsoft.EdgeOrder.
ElasticsanResources Yes Includes resources related to Microsoft.ElasticSan.
ExtendedLocationResources Yes Includes resources related to Microsoft.ExtendedLocation.
FeatureResources Yes Includes resources related to Microsoft.Features.
GuestConfigurationResources Yes Includes resources related to Microsoft.GuestConfiguration.
HealthResourceChanges Yes Includes resources related to Microsoft.Resources.
HealthResources Yes Includes resources related to Microsoft.ResourceHealth.
InsightsResources Yes Includes resources related to Microsoft.Insights.
IoTSecurityResources Yes Includes resources related to Microsoft.IoTSecurity and Microsoft.IoTFirmwareDefense.
KubernetesConfigurationResources Yes Includes resources related to Microsoft.KubernetesConfiguration.
KustoResources Yes Includes resources related to Microsoft.Kusto.
MaintenanceResources Yes Includes resources related to Microsoft.Maintenance.
ManagedServicesResources Yes Includes resources related to Microsoft.ManagedServices.
MigrateResources Yes Includes resources related to Microsoft.OffAzure.
NetworkResources Yes Includes resources related to Microsoft.Network.
PatchAssessmentResources Yes Includes resources related to Azure Virtual Machines patch assessment Microsoft.Compute and Microsoft.HybridCompute.
PatchInstallationResources Yes Includes resources related to Azure Virtual Machines patch installation Microsoft.Compute and Microsoft.HybridCompute.
PolicyResources Yes Includes resources related to Microsoft.PolicyInsights.
RecoveryServicesResources Yes Includes resources related to Microsoft.DataProtection and Microsoft.RecoveryServices.
ResourceChanges Yes Includes resources related to Microsoft.Resources.
ResourceContainerChanges Yes Includes resources related to Microsoft.Resources.
ResourceContainers Yes 包括管理组 (Microsoft.Management/managementGroups)、订阅 (Microsoft.Resources/subscriptions) 和资源组 (Microsoft.Resources/subscriptions/resourcegroups) 资源类型和数据。
Resources Yes 如果未在查询中定义表,则为默认表。 此处显示了大多数资源管理器资源类型和属性。
SecurityResources Yes Includes resources related to Microsoft.Security.
ServiceFabricResources Yes Includes resources related to Microsoft.ServiceFabric.
ServiceHealthResources Yes Includes resources related to Microsoft.ResourceHealth/events.
SpotResources Yes Includes resources related to Microsoft.Compute.
SupportResources Yes Includes resources related to Microsoft.Support.
TagsResources Yes Includes resources related to Microsoft.Resources/tagnamespaces.

有关包含资源类型的表的列表,请转到 Azure Resource Graph 表和资源类型引用

Note

Resources 为默认表。 查询 Resources 表时,无需提供表名称,除非使用 joinunion。 但是,建议的做法是始终在查询中包含初始表。

若要发现每个表中有哪些可用的资源类型,请使用门户中的 Resource Graph 资源管理器。 或者,使用查询(如 <tableName> | distinct type)来获取环境中存在的给定 Resource Graph 表所支持的资源类型的列表。

以下查询显示了简单的 join 用法。 The query result blends the columns together and any duplicate column names from the joined table, ResourceContainers in this example, are appended with 1. As ResourceContainers table has types for both subscriptions and resource groups, either type might be used to join to the resource from Resources table.

Resources
| join ResourceContainers on subscriptionId
| limit 1

以下查询显示了 join 的更复杂用法。 首先,该查询使用 project 针对 Azure Key Vault 保管库资源类型从 Resources 获取字段。 The next step uses join to merge the results with ResourceContainers where the type is a subscription on a property that is both in the first table's project and the joined table's project. The field rename avoids join adding it as name1 since the property already is projected from Resources. 查询结果是单个密钥保管库,其中显示密钥保管库的类型、名称、位置和资源组以及密钥保管库所在订阅的名称。

Resources
| where type == 'microsoft.keyvault/vaults'
| project name, type, location, subscriptionId, resourceGroup
| join (ResourceContainers | where type=='microsoft.resources/subscriptions' | project SubName=name, subscriptionId) on subscriptionId
| project type, name, location, resourceGroup, SubName
| limit 1

Note

When limiting the join results with project, the property used by join to relate the two tables, subscriptionId in the above example, must be included in project.

Extended properties

As a preview feature, some of the resource types in Resource Graph have more type-related properties available to query beyond the properties provided by Azure Resource Manager. This set of values, known as extended properties, exists on a supported resource type in properties.extended. To show resource types with extended properties, use the following query:

Resources
| where isnotnull(properties.extended)
| distinct type
| order by type asc

示例:通过 instanceView.powerState.code 获取虚拟机计数:

Resources
| where type == 'microsoft.compute/virtualmachines'
| summarize count() by tostring(properties.extended.instanceView.powerState.code)

Resource Graph 自定义语言元素

共享查询语法(预览)

As a preview feature, a shared query can be accessed directly in a Resource Graph query. 在这种情况下,可以创建标准查询作为共享查询并重复使用它们。 若要在 Resource Graph 查询中调用共享查询,请使用 {{shared-query-uri}} 语法。 The URI of the shared query is the Resource ID of the shared query on the Settings page for that query. 在此示例中,我们的共享查询 URI 是 /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/SharedQueries/providers/Microsoft.ResourceGraph/queries/Count VMs by OS。 此 URI 指向我们想要在另一个查询中引用的共享查询的订阅、资源组和全名。 此查询与教程:创建和共享查询中创建的查询相同。

Note

无法保存将共享查询作为共享查询引用的查询。

示例 1:仅使用共享查询:

此 Resource Graph 查询的结果与存储在共享查询中的查询相同。

{{/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/SharedQueries/providers/Microsoft.ResourceGraph/queries/Count VMs by OS}}

示例 2:将共享查询并入更大的查询中:

此查询首先使用共享查询,然后使用 limit 进一步限制结果。

{{/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/SharedQueries/providers/Microsoft.ResourceGraph/queries/Count VMs by OS}}
| where properties_storageProfile_osDisk_osType =~ 'Windows'

支持的 KQL 语言元素

Resource Graph supports a subset of KQL data types, scalar functions, scalar operators, and aggregation functions. Specific tabular operators are supported by Resource Graph, some of which have different behaviors.

支持的表格/顶级运算符

下面是 Resource Graph 支持的 KQL 表格运算符的列表,以及特定示例:

KQL Resource Graph 示例查询 Notes
count 对密钥保管库进行计数
distinct 显示包含存储的资源
extend 按 OS 类型对虚拟机进行计数
join 具有订阅名称的密钥保管库 Join flavors supported: innerunique, inner, leftouter, and fullouter. 对于单个查询,最多允许三个 joinunion 操作(或两者的组合),这些操作将一起计数,其中一个可能是跨表联接。 If all cross-table join use is between Resource and ResourceContainers, then three cross-table join are allowed. 不允许使用自定义联接策略,如广播联接。 有关哪些表可以使用 join,请转到 Resource Graph 表
limit 列出所有公共 IP 地址 take的同义词。 Doesn't work with Skip.
mvexpand 旧运算符,请改用 mv-expandRowLimit max of 2,000. 默认值为 128。
mv-expand 列出具有特定写入位置的 Azure Cosmos DB RowLimit max of 2,000. 默认值为 128。 单个查询中的 mv-expand 限制为 3。
order 列出按名称排序的资源 sort 的同义词
parse 获取网络接口的虚拟网络和子网 如果属性存在,最好直接访问它们,而不是使用 parse 来访问。
project 列出按名称排序的资源
project-away 删除结果中的列
sort 列出按名称排序的资源 order 的同义词
summarize 对 Azure 资源进行计数 仅已简化首页
take 列出所有公共 IP 地址 limit 的同义词。 Doesn't work with Skip.
top 按名称及其 OS 类型显示前五个虚拟机
union 将两个查询的结果合并为单个结果 允许的单个表:| union [kind= inner|outer] [withsource=ColumnName] Table。 单个查询中存在 3 个 union 支线的限制。 不允许对 union 分支表进行模糊解析。 Might be used within a single table or between the Resources and ResourceContainers tables.
where 显示包含存储的资源

单个 Resource Graph SDK 查询中默认最多只能有 3 个 join 和 3 个 mv-expand 运算符。 可以通过“帮助 + 支持”来请求为租户提高这些限制。

To support the Open Query portal experience, Azure Resource Graph Explorer has a higher global limit than Resource Graph SDK.

Note

不能多次将表引用为右表,这会超出限值 1。 如果这样做,将会收到错误并显示代码 DisallowedMaxNumberOfRemoteTables。

Query scope

The scope of the subscriptions or management groups from which resources are returned by a query defaults to a list of subscriptions based on the context of the authorized user. If a management group or a subscription list isn't defined, the query scope is all resources, and includes Azure Lighthouse delegated resources.

可以手动定义要查询的订阅或管理组的列表,以更改结果的范围。 例如,REST API managementGroups 属性采用管理组 ID,该 ID 不同于管理组的名称。 指定 managementGroups 时,将包含在指定管理组层次结构中或其下的前 10,000 个订阅的资源。 managementGroupssubscriptions 不能同时使用。

示例:使用 ID myMG 查询管理组层次结构中名为 My Management Group 的所有资源。

  • REST API URI

    POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-03-01

  • Request Body

    {
  "query": "Resources | summarize count()",
  "managementGroups": ["myMG"]
}

通过 AuthorizationScopeFilter 参数,可以列出从上限范围继承的 AuthorizationResources 表中的 Azure Policy 分配和 Azure 基于角色的访问控制 (Azure RBAC) 角色分配。 AuthorizationScopeFilter 参数接受 PolicyResourcesAuthorizationResources 表的以下值:

  • AtScopeAndBelow (default if not specified): Returns assignments for the given scope and all child scopes.
  • AtScopeAndAbove: Returns assignments for the given scope and all parent scopes, but not child scopes.
  • AtScopeAboveAndBelow: Returns assignments for the given scope, all parent scopes, and all child scopes.
  • AtScopeExact: Returns assignments only for the given scope; no parent or child scopes are included.

Note

To use the AuthorizationScopeFilter parameter, be sure to use the 2021-06-01-preview or later API version in your requests.

Example: Get all policy assignments at the myMG management group and Tenant Root (parent) scopes.

  • REST API URI

    POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-06-01-preview

  • 请求正文示例

    {
  "options": {
    "authorizationScopeFilter": "AtScopeAndAbove"
  },
  "query": "PolicyResources | where type =~ 'Microsoft.Authorization/PolicyAssignments'",
  "managementGroups": ["myMG"]
}

Example: Get all policy assignments at the mySubscriptionId subscription, management group, and Tenant Root scopes.

  • REST API URI

    POST https://management.azure.com/providers/Microsoft.ResourceGraph/resources?api-version=2021-06-01-preview

  • 请求正文示例

    {
  "options": {
    "authorizationScopeFilter": "AtScopeAndAbove"
  },
  "query": "PolicyResources | where type =~ 'Microsoft.Authorization/PolicyAssignments'",
  "subscriptions": ["mySubscriptionId"]
}

Escape characters

某些属性名称(例如,包含 .$ 的名称)必须在查询中进行包装或转义,否则属性名称将被错误解释,并且不会提供预期结果。

  • 点 (.) - 使用方括号将属性名称 ['propertyname.withaperiod'] 括起来。

    Example query that wraps the property odata.type:

    where type=~'Microsoft.Insights/alertRules' | project name, properties.condition.['odata.type']

  • 美元符号 ($) - 转义属性名称中的字符。 使用的转义字符取决于运行 Resource Graph 的 shell。

    • Bash: Use a backslash (\) as the escape character.

      Example query that escapes the property $type in Bash:

      where type=~'Microsoft.Insights/alertRules' | project name, properties.condition.\$type

    • cmd: Don't escape the dollar sign ($) character.

    • PowerShell: Use a backtick (`) as the escape character.

      Example query that escapes the property $type in PowerShell:

      where type=~'Microsoft.Insights/alertRules' | project name, properties.condition.`$type

Next steps