Skip to main content
Splunk Lantern

Virtual machines with large file size utilization

You might need to see which virtual machines are consuming large amounts of file space when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

VMware stores several critical files for each virtual machine. Depending on configurations or usage, the overall space consumed by these files might grow large. In some cases, excessive snapshotting might be contributing to the overall file size. You want to identify virtual machines consuming large amounts of file space to determine if you can perform any cleanup to reduce the amount of space being used.

  1. Run the following search: 
sourcetype="vmware:inv:vm"
|dedup moid
|rename changeSet.layoutEx.file{}.* AS file_*
|eval tmp_file_index_array=file_key
|mvexpand tmp_file_index_array
|eval file_idx=mvfind(file_key, tmp_file_index_array)
|eval file_size=mvindex(file_size, file_idx), file_type=mvindex(file_type, file_idx), file_name=mvindex(file_name, file_idx)
|eval sn_file_size = if(file_type="snapshotData", file_size, null())
|stats count AS total_files sum(file_size) AS total_file_size_gb count(sn_file_size) AS snapshots sum(sn_file_size) AS snapshot_size_gb BY moid
|eval total_file_size_gb = round(total_file_size_gb / 1024 / 1024 / 1024, 2), snapshot_size_gb = round(snapshot_size_gb / 1024 / 1024 / 1024, 2)
|sort - total_file_size_gb 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

sourcetype="vmware:inv:vm"

Search only VMware datastore inventory data.

|dedup moid

Remove duplicate managed object IDs (MOIDs).

|rename changeSet.layoutEx.file{}.* AS file_*

Rename the fields expanded by the wildcard for better readability and for Splunk processing capability. The resulting names are file_key, file_name, file_size, and file_type.

|eval tmp_file_index_array=file_key

Store the file_key value in a temp field to manipulate the following multi valued functions. 

|mvexpand tmp_file_index_array

For each virtual machine in the VMware inventory events, expand the multiple multivalue fields in the JSON array under changeSet.layoutEx.file{}, which is where information about the current files and file space usage for each virtual machine is stored.

|eval file_idx=mvfind(file_key, tmp_file_index_array)

Set the file_idx field to the value in the array with the file_key and iterate through the array.

|eval file_size=mvindex(file_size, file_idx), file_type=mvindex(file_type, file_idx), file_name=mvindex(file_name, file_idx)

Use the file index set above to pull the indicated values from the multi-value index.

|eval sn_file_size = if(file_type="snapshotData", file_size, null())

Save the snapshot file size for later calculation.

|stats count AS total_files sum(file_size) AS total_file_size_gb count(sn_file_size) AS snapshots sum(sn_file_size) AS snapshot_size_gb BY moid

Calculate the total number of files, the sum of space consumed by all files, the total number of snapshot files, and the space consumed by snapshot files per each virtual machine. 

|eval total_file_size_gb = round(total_file_size_gb / 1024 / 1024 / 1024, 2), snapshot_size_gb = round(snapshot_size_gb / 1024 / 1024 / 1024, 2)

Convert the file size byte usage to gigabytes for readability.

|sort - total_file_size_gb

Sort results with the virtual machines taking up the most space first.

Result

The table below shows sample results for the search. This data gives good insight on where space is consumed on a per VM basis and can be used to determine where to optimize space.  

moid total_files total_file_size_gb snapshots

vm-18

15

83.55

0

vm-211

18

24.56

0

vm-209

20

24.25

0

vm-192

21

24.16

0

vm-234

20

24.16

0

  • Was this article helpful?