Skip to main content
Splunk Lantern

Virtual machines currently running on ESXi host

You might need to see what virtual machines are hosted in which ESXi hosts when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

Understanding which ESXi host is currently running a virtual machine is a fundamental aspect of VMware monitoring. It lets you see all virtual machines running on an ESXi host and determine if poor performance could be caused by a noisy neighbor. You want a search that will allow you to easily gather this type of inventory.

To optimize the search shown below, you should specify an index and a time range.

  1. Run the following search: 
sourcetype=vmware:inv:hierarchy type=VirtualMachine moid="*"
|stats values(moid) AS "VM Id" BY _time changeSet.runtime.host.moid 
|rename changeSet.runtime.host.moid AS "ESXi Host"

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype=vmware:inv:hierarchy type=VirtualMachine

Search only VMware hierarchy inventory data and limit the search to virtual machine data.

moid="*"

Return all VMs running on a host at the point in time. 

To look for a specific VM, you could change the wildcard to the name, (e.g. “vm-77”).

|stats values(moid) AS "VM Id" BY _time changeSet.runtime.host.moid

Group the values of the moid by the fields in the BY clause. 

|rename changeSet.runtime.host.moid AS "ESXi Host"

Rename the fields as shown for better readability.

Result 

Sample results for this search are shown in the table below. It provides a list of virtual machines (VM) running on a host at the time the data was received by Splunk. The first five entries show vm-77 moving back and forth between host-10 and host-11. The table also shows that host-10 is hosting many VMs at T13:49 and that host-26 has only three. That information could be used to consider host-26 as a candidate to balance the load by moving some VMs off of host-10. 

This search would be good in a dashboard with an interactive input to select VM IDs to investigate. A second input on the same dashboard could allow for the ESXi Host to be selected, rather than defaulting to all.  

_time ESXi Host VM Id

2020-11-05T13:40:19

host-10

vm-77

2020-11-05T13:41:34

host-11

vm-77

2020-11-05T13:44:22

host-10

vm-77

2020-11-05T13:45:19

host-11

vm-77

2020-11-05T13:47:490

host-10

vm-77

2020-11-05T13:49:24

host-10

vm-186

vm-187

vm-188

vm-189

vm-190

vm-192

vm-207

vm-209

vm-211

vm-216

vm-220

vm-224

vm-226

vm-231

vm-234

vm-237

vm-261

2020-11-05T13:49:24

host-26

vm-113

vm-206

vm-214

  • Was this article helpful?