Virtual machines currently running on ESXi host
Understanding which ESXi host is currently running a virtual machine is a fundamental aspect of VMware monitoring. It lets you see all virtual machines running on an ESXi host and determine if poor performance could be caused by a noisy neighbor. You want a search that will allow you to easily gather this type of inventory.
Data required
- VMware. This procedure depends on data primarily obtained from the Splunk Add-on for VMware Metrics; however, log and event data from the VMWare environment can also provide additional insights into general VMWare environment health. Therefore, for best performance, you should also download and install Splunk Add-on for VMware ESXi Logs and Splunk Add-on for vCenter Logs.
Procedure
To optimize the search shown below, you should specify an index and a time range.
- Ensure that you have installed the IT Essentials Work app to onboard VMware data and provide the various VMware entity type configurations and dashboards.
- Ensure that you are collecting VMware data through one or more Data Collection Nodes, which are essentially Splunk heavy forwarders with specific VMware collection configurations.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype=vmware:inv:hierarchy type=VirtualMachine moid="*" |stats values(moid) AS "VM Id" BY _time changeSet.runtime.host.moid |rename changeSet.runtime.host.moid AS "ESXi Host"
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
sourcetype=vmware:inv:hierarchy type=VirtualMachine |
Search only VMware hierarchy inventory data and limit the search to virtual machine data. |
|
moid="*" |
Return all VMs running on a host at the point in time. To look for a specific VM, you could change the wildcard to the name, (e.g. “vm-77”). |
|
|stats values(moid) AS "VM Id" BY _time changeSet.runtime.host.moid |
Group the values of the moid by the fields in the BY clause. |
|
|rename changeSet.runtime.host.moid AS "ESXi Host" |
Rename the fields as shown for better readability. |
Next steps
Sample results for this search are shown in the table below. It provides a list of virtual machines (VM) running on a host at the time the data was received by Splunk. The first five entries show vm-77 moving back and forth between host-10 and host-11. The table also shows that host-10 is hosting many VMs at T13:49 and that host-26 has only three. That information could be used to consider host-26 as a candidate to balance the load by moving some VMs off of host-10.
This search would be good in a dashboard with an interactive input to select VM IDs to investigate. A second input on the same dashboard could allow for the ESXi Host to be selected, rather than defaulting to all.
| _time | ESXi Host | VM Id |
|---|---|---|
|
2020-11-05T13:40:19 |
host-10 |
vm-77 |
|
2020-11-05T13:41:34 |
host-11 |
vm-77 |
|
2020-11-05T13:44:22 |
host-10 |
vm-77 |
|
2020-11-05T13:45:19 |
host-11 |
vm-77 |
|
2020-11-05T13:47:490 |
host-10 |
vm-77 |
|
2020-11-05T13:49:24 |
host-10 |
vm-186 vm-187 vm-188 vm-189 vm-190 vm-192 vm-207 vm-209 vm-211 vm-216 vm-220 vm-224 vm-226 vm-231 vm-234 vm-237 vm-261 |
|
2020-11-05T13:49:24 |
host-26 |
vm-113 vm-206 vm-214 |
Finally, you might be interested in other processes associated with the Monitoring VMware virtual machine performance use case.