Skip to main content


Splunk Lantern

Recently triggered vSphere alarms

You might need to see all recently triggered vSphere alarms when doing the following:


In order to execute this procedure in your environment, the following data, services, or apps are required:


VMware vSphere lets you author alerting rules to identify various conditions that occur in your VMware environment. Some alerts indicate problems while others are informational. You want a search that allows you to easily see all alarms so that you can review them and investigate further if necessary.

To optimize the search shown below, you should specify an index and a time range.

  1. Ensure that you have installed the IT Essentials Work app to onboard VMware data and provide the various VMware entity type configurations and dashboards.
  2. Ensure that you are collecting VMware data through one or more Data Collection Nodes, which are essentially Splunk heavy forwarders with specific VMware collection configurations. 
  3. Run the following search: 
index="vmware-taskevent" sourcetype="vmware_inframon:events" 
| spath alarm 
| search alarm=*  
| eval From=if(isnull('from'),"N/A",'from'), To=if(isnull('to'),"N/A",'to') 
| stats count BY host, entity.entity.type,, From, To, fullFormattedMessage, _time 
| rename host AS vCenter entity.entity.type AS "Entity Type" AS "Entity Name" fullFormattedMessage AS "Message" 
| fields - count

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="vmware-taskevent" sourcetype="vmware_inframon:events"  Search event indexes for VMWare events.

| spath alarm 

| search alarm=*  

Search for events with alarms.

| eval From=if(isnull('from'),"N/A",'from'), To=if(isnull('to'),"N/A",'to')  Validate that data is present.
| stats count BY host, entity.entity.type,, From, To, fullFormattedMessage, _time  Display the alarm related information.
| rename host AS vCenter entity.entity.type AS "Entity Type" AS "Entity Name" fullFormattedMessage AS "Message"  Rename the fields as shown for better readability.
| fields - count Remove the count field from the results.


The results shows the time each alarm was triggered, the host they were triggered on, the host’s previous status and current status after the alarm, and the alarm’s message. Depending on the types of rules you author and activate, it might be helpful to correlate VMware alerts with other operational and performance metrics associated with the applications running on the virtual machine

  • Was this article helpful?