Skip to main content

 

Splunk Lantern

Topology of a VMware environment

You might want to visualize and assess the health of all VMWare components in your environment, as seen by the VMWare infrastructure, when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Visualizing the VMware environment in a topology view provides an intuitive way for analysts and administrators to better understand the current distribution of resources. A topology view may uncover misconfigurations such as high availability VMs deployed to the same ESXi host, or co-mingled prod and non-prod systems. Additionally, you can use the time picker to review prior topology views to aid in troubleshooting or understand how resources have shifted over time.

To optimize the search shown below, you should specify a time range.

  1. Ensure that you have installed the IT Essentials Work app to onboard VMware data and provide the various VMware entity type configurations and dashboards.
  2. Ensure that you are collecting VMware data through one or more Data Collection Nodes, which are essentially Splunk heavy forwarders with specific VMware collection configurations. 
  3. Run the following search: 
index="vmware-inv" source="VMInv:Hierarchy" type=*
| dedup moid
| eval parent_moid=coalesce('changeSet.runtime.host.moid','changeSet.parent.moid'), name='changeSet.name'
| appendpipe [ stats count BY moid, name 
| rename moid AS parent_moid, name AS parent_name 
| table parent_*]
| eventstats values(parent_name) AS parent_name BY parent_moid
| top useother=true limit=5 name BY parent_name type
| table parent_name name percent
| rename parent_name AS parent, name AS child

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="vmware-inv" source="VMInv:Hierarchy" type=* Search index and sourcetype for for VMware hierarchy data.
| dedup moid Remove results with a duplicate moid to obtain the most recent record for each system in the environment.
| eval parent_moid=coalesce('changeSet.runtime.host.moid','changeSet.parent.moid'), name='changeSet.name' Validate that, where possible, the ESXi host is used as the parent for each system.

| appendpipe [ stats count BY moid, name | rename moid AS parent_moid, name AS parent_name | table parent_*]

| eventstats values(parent_name) AS parent_name BY parent_moid

Join the results back to themselves so that a parent_name can be joined to a parent moid for readability.
| top useother=true limit=5 name BY parent_name type Return only five children for each parent.
| table parent_name name percent Display the results in a table with columns in the order shown.
| rename parent_name AS parent, name AS child Rename the fields as shown for better readability.

Result 

You can use this information on-demand during troubleshooting or periodically during general environment checks to monitor your environment.

The SPL in this sample provides one meaningful way of rendering the hierarchy of the environment, however, many other ways may exist as well. For instance, you may want to filter the results per the type field in a dashboard and render a greater number of nodes in the tree. You should modify the SPL to provide a hierarchical rendering that fits your needs. 

  • Was this article helpful?