Knowing what modifications are made to the VMware environment, when they were made, and who made them can help you identify or isolate the origin of a problem or incident.
- VMware. This procedure depends on data primarily obtained from the Splunk Add-on for VMware Metrics; however, log and event data from the VMWare environment can also provide additional insights into general VMWare environment health. Therefore, for best performance, you should also download and install Splunk Add-on for VMware ESXi Logs and Splunk Add-on for vCenter Logs.
- Ensure that you have installed the IT Essentials Work app to onboard VMware data and provide the various VMware entity type configurations and dashboards.
- Ensure that you are collecting VMware data through one or more Data Collection Nodes, which are essentially Splunk heavy forwarders with specific VMware collection configurations.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
index="vmware-taskevent" sourcetype="vmware_inframon:tasks" entity.type="HostSystem" | dedup key | spath entity.moid output=moid | search (moid="<ESXi-HOST-ID>" AND host="<VCENTER-NAME>") | spath entity.type output=type | spath entityName output="ESX/i Host" | spath reason.userName output=User | spath reason.scheduledTask output=ScheduleTask | spath completeTime output=CompleteTime | spath startTime output=StartTime | spath state output=State | spath descriptionId output=Description | spath name output=Task | eval Task=if(isnull(Task),"Internal Task",Task) | spath error.localizedMessage output=ErrorMessage | eval ErrorMessage=if(isnull(ErrorMessage), "N/A", ErrorMessage) | eval ScheduleTask=if(isnull(ScheduleTask), "No", "Yes") | eval User=if(isnull(User), "N/A", User) | search | rename host AS VC type AS HIDE-type moid AS HIDE-moid | sort -startTime | table VC "ESX/i Host" Description Task User StartTime CompleteTime State ScheduleTask ErrorMessage HIDE-type HIDE-moid
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
|index="vmware-taskevent" sourcetype="vmware_inframon:tasks" entity.type="HostSystem"||Search the index vmware-taskevent where vCenter task events are collected and filter to entity type "HostSystem" (ESXi servers).|
|| dedup key||Remove duplicate host systems by key.|
| spath entity.moid output=moid
Extract and validate configuration data.
Replace <ESXi-HOST-ID>with the appropriate ESXi host moid and <VCENTER-NAME> with the appropriate vCenter host name. Wildcards such as * are allowed.
|| rename host AS VC type AS HIDE-type moid AS HIDE-moid||Rename the fields as shown for better readability.|
|| sort -startTime||Sort the results in descending order by time of event.|
|| table VC "ESX/i Host" Description Task User StartTime CompleteTime State ScheduleTask ErrorMessage HIDE-type HIDE-moid||
Display the results in a table with columns in the order shown.
You can use the information from this search to investigate any problems you encounter with your VMware environment.
Finally, you might be interested in other processes associated with the Monitoring VMware virtual machine performance use case.