Skip to main content
Splunk Lantern の記事が日本語で利用できるようになりました。.
Splunk Lantern

Topology of a VMware environment


Visualizing the VMware environment in a topology view provides an intuitive way for analysts and administrators to better understand the current distribution of resources. A topology view may uncover misconfigurations such as high availability VMs deployed to the same ESXi host, or co-mingled prod and non-prod systems. Additionally, you can use the time picker to review prior topology views to aid in troubleshooting or understand how resources have shifted over time.

Data required


  1. Ensure that you have installed the IT Essentials Work app to onboard VMware data and provide the various VMware entity type configurations and dashboards.
  2. Ensure that you are collecting VMware data through one or more Data Collection Nodes, which are essentially Splunk heavy forwarders with specific VMware collection configurations.
  3. Run the following search. You can optimize it by specifying an index and adjusting the time range.
index="vmware-inv" source="VMInv:Hierarchy" type=*
| dedup moid
| eval parent_moid=coalesce('','changeSet.parent.moid'), name=''
| appendpipe [ stats count BY moid, name 
   | rename moid AS parent_moid, name AS parent_name 
   | table parent_*]
| eventstats values(parent_name) AS parent_name BY parent_moid
| top useother=true limit=5 name BY parent_name type
| table parent_name name percent
| rename parent_name AS parent, name AS child

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation
index="vmware-inv" source="VMInv:Hierarchy" type=* Search index and source type for for VMware hierarchy data.
|dedup moid Remove results with a duplicate moid to obtain the most recent record for each system in the environment.
|eval parent_moid=coalesce('','changeSet.parent.moid'), name='' Validate that, where possible, the ESXi host is used as the parent for each system.

|appendpipe [ stats count BY moid, name | rename moid AS parent_moid, name AS parent_name | table parent_*]

|eventstats values(parent_name) AS parent_name BY parent_moid

Join the results back to themselves so that a parent_name can be joined to a parent moid for readability.
|top useother=true limit=5 name BY parent_name type Return only five children for each parent.
|table parent_name name percent Display the results in a table with columns in the order shown.
|rename parent_name AS parent, name AS child Rename the fields as shown for better readability.

Next steps

You can use this information on-demand during troubleshooting or periodically during general environment checks to monitor your environment.

The SPL in this sample provides one meaningful way of rendering the hierarchy of the environment; however, other ways might exis. For instance, you might want to filter the results per the type field in a dashboard and render a greater number of nodes in the tree. You should modify the SPL to provide a hierarchical rendering that fits your needs.

Finally, you might be interested in other processes associated with the Monitoring VMware virtual machine performance use case.