Visualizing the VMware environment in a topology view provides an intuitive way for analysts and administrators to better understand the current distribution of resources. A topology view may uncover misconfigurations such as high availability VMs deployed to the same ESXi host, or co-mingled prod and non-prod systems. Additionally, you can use the time picker to review prior topology views to aid in troubleshooting or understand how resources have shifted over time.
- VMware. This procedure depends on data primarily obtained from the Splunk Add-on for VMware Metrics; however, log and event data from the VMWare environment can also provide additional insights into general VMWare environment health. Therefore, for best performance, you should also download and install Splunk Add-on for VMware ESXi Logs and Splunk Add-on for vCenter Logs.
- Ensure that you have installed the IT Essentials Work app to onboard VMware data and provide the various VMware entity type configurations and dashboards.
- Ensure that you are collecting VMware data through one or more Data Collection Nodes, which are essentially Splunk heavy forwarders with specific VMware collection configurations.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
index="vmware-inv" source="VMInv:Hierarchy" type=* | dedup moid | eval parent_moid=coalesce('changeSet.runtime.host.moid','changeSet.parent.moid'), name='changeSet.name' | appendpipe [ stats count BY moid, name | rename moid AS parent_moid, name AS parent_name | table parent_*] | eventstats values(parent_name) AS parent_name BY parent_moid | top useother=true limit=5 name BY parent_name type | table parent_name name percent | rename parent_name AS parent, name AS child
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index="vmware-inv" source="VMInv:Hierarchy" type=*||Search index and sourcetype for for VMware hierarchy data.|
||dedup moid||Remove results with a duplicate moid to obtain the most recent record for each system in the environment.|
||eval parent_moid=coalesce('changeSet.runtime.host.moid','changeSet.parent.moid'), name='changeSet.name'||Validate that, where possible, the ESXi host is used as the parent for each system.|
|appendpipe [ stats count BY moid, name | rename moid AS parent_moid, name AS parent_name | table parent_*]
|eventstats values(parent_name) AS parent_name BY parent_moid
|Join the results back to themselves so that a parent_name can be joined to a parent moid for readability.|
||top useother=true limit=5 name BY parent_name type||Return only five children for each parent.|
||table parent_name name percent||Display the results in a table with columns in the order shown.|
||rename parent_name AS parent, name AS child||Rename the fields as shown for better readability.|
You can use this information on-demand during troubleshooting or periodically during general environment checks to monitor your environment.
The SPL in this sample provides one meaningful way of rendering the hierarchy of the environment, however, many other ways may exist as well. For instance, you may want to filter the results per the type field in a dashboard and render a greater number of nodes in the tree. You should modify the SPL to provide a hierarchical rendering that fits your needs.
Finally, you might be interested in other processes associated with the Monitoring VMware virtual machine performance use case.