Recently triggered vSphere alarms

You might need to see all recently triggered vSphere alarms when doing the following:

• Monitoring VMware virtual machine performance

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

• Virtualization data
• Operating system event data
• Splunk Add-on for VMware

Example

VMware vSphere lets you author alerting rules to identify various conditions that occur in your VMware environment. Some alerts indicate problems while others are informational. You want a search that allows you to easily see all alarms so that you can review them and investigate further if necessary.

NOTE: To optimize the search shown below, you should specify an index and a time range.

1. Run the following search: 

sourcetype="vmware:events" alarm.name=*
|table _time host.name from to fullFormattedMessage 

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Result

The table shows the time each alarm was triggered, the host they were triggered on, the host’s previous status and current status after the alarm, and the alarm’s message. Depending on the types of rules you author and activate, it might be helpful to correlate VMware alerts with other operational and performance metrics associated with the applications running on the virtual machine.