Inventory of Azure virtual machines
As an administrator, you want to have a high-level view of the number and type of virtual machines running in your Azure infrastructure.
Data required
Microsoft: Azure virtual machine data
Procedure
- Configure the Splunk Add-on for Microsoft Cloud Services.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:resource:virtualMachine" |fillnull tags{} value="No Tags!" |fillnull properties.instanceView.extensions{}.name value="" |stats latest(power_state) BY vm_name, location, properties.storageProfile.imageReference.offer, properties.storageProfile.imageReference.sku ,vm_size, tags{}, properties.instanceView.extensions{}.name |eval mem_capacity=(mem_capacity/1024/1024/1024) |fields - count |rename vm_name AS "VM Name" latest(power_state) AS Status vm_size AS Size properties.storageProfile.imageReference.offer AS OS properties.storageProfile.imageReference.sku AS Version mem_capacity AS "Memory GB" location_name AS Location cpu_cores AS CPU tags{} AS Tags properties.instanceView.extensions{}.name AS Extensions
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
Splunk Search | Explanation |
---|---|
sourcetype="mscs:resource:virtualMachine" |
Search only Azure virtual machine data. |
|fillnull tags{} value="No Tags!" |
Fill all null tag values with “No Tags!” |
|fillnull properties.instanceView.extensions{}.name value="" |
Fill all null extension values with an empty string. |
|stats latest(power_state) BY vm_name, location, properties.storageProfile.imageReference.offer, properties.storageProfile.imageReference.sku ,vm_size, tags{}, properties.instanceView.extensions{}.name |
Locate the most recent value for all relevant fields. |
|eval mem_capacity=(mem_capacity/1024/1024/1024) |
Calculate the memory capacity for all virtual machines. |
|fields - count |
Remove the count field from the results. |
|rename vm_name AS "VM Name" latest(power_state) AS Status vm_size AS Size properties.storageProfile.imageReference.offer AS OS properties.storageProfile.imageReference.sku AS Version mem_capacity AS "Memory GB" location_name AS Location cpu_cores AS CPU tags{} AS Tags properties.instanceView.extensions{}.name AS Extensions |
Rename the fields as shown for better readability. |
Next steps
Sample results for this search are shown in the table below. The status field can be an important item to monitor for cost saving reasons. A status of stopped (not shown below) indicates a VM that had the OS shut down or stopped, but the VM is still allocated and is costing money. Finding those and having the VM deallocated would be useful.
VM Name | location | OS | Version | Size | Tags | Extensions | Status |
---|---|---|---|---|---|---|---|
JaneDoeServer |
southcentralus |
WindowsServer |
2016-Datacenter |
Standard_B1s |
No Tags! |
running |
|
RYCRYpt0 |
australiasoutheast |
CentOS |
7.5 |
Standard_B1s |
Owner : RYCRYpt0 |
starting |
|
Ry-Win10 |
australiasoutheast |
Windows-10 |
rs5-pro |
Standard_D2 |
Owner : Ryan |
Microsoft.Insights.VMDiagnosticsSettings |
running |
Ry-Win10 |
australiasoutheast |
Windows-10 |
rs5-pro |
Standard_D2 |
Owner : Ryan |
MicrosoftMonitoringAgent |
running |
Ry-Win10 |
australiasoutheast |
Windows-10 |
rs5-pro |
Standard_D2 |
Purpose : P5 |
Microsoft.Insights.VMDiagnosticsSettings |
running |
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.