Skip to main content
Splunk Lantern

VMotion events for a specific virtual machine

VMotion is the process of moving a virtual machine from one ESXi host to another in an effort to balance the workload of all virtual machines as evenly and effectively as possible. You might need to track VMotion events for a specific virtual machine when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

While the VMotion process is seamless to the virtual machine operation, it can impact performance. You want to monitor virtual machines being moved from one ESXi host to another so you can be prepared for any problems caused by the process. 

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search: 
sourcetype=vmware:inv:hierarchy type=VirtualMachine moid=<MOID of the VM to track>
|reverse
|dedup consecutive=true moid changeSet.runtime.host.moid
|table _time moid changeSet.runtime.host.moid
|rename changeSet.runtime.host.moid AS esxi_host

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=vmware:inv:hierarchy 

Search only VMware hierarchy inventory data.

type=VirtualMachine 

Search only virtual machines.

moid=<MOID of the VM to track>

Search for the managed object ID (MOID) of the virtual machine you want to track.

|reverse

|dedup consecutive=true moid "changeSet.runtime.host.moid"

Reverse the order of the display so the dedup command can move forward through time. Remove duplicate combinations of consecutive values.

|table _time moid changeSet.runtime.host.moid 

Display the results in a table with columns in the order shown.

|rename changeSet.runtime.host.moid AS esxi_host

Rename the field as shown for better readability. 

Result

The table below shows sample results for the search. You can see that the earliest time returned from the search is 14:39 with vm-77 on host-10. Approximately a minute and a half later, at 10:40:42, you see vm-77 is on host-11. Another minute and a half later, vm-77 has moved back to host-11. The data generated for the example has vm-77 moving back and forth between host-10 and 11 as we advance in time.  

_time moid esxi_host

2020-11-03T14:39:27.000+0000

vm-77

host-10

2020-11-03T14:40:42.000+0000

vm-77

host-11

2020-11-03T14:43:31.000+0000

vm-77

host-10

2020-11-03T14:44:27.000+0000

vm-77

host-11

2020-11-03T14:46:57.000+0000

vm-77

host-10

Alternatively, you can add this timechart command to the end of the search for a visualization of the movement of the VMs:

|timechart span=1m dc(moid) BY "changeSet.runtime.host.moid"
  • Was this article helpful?