Inventory of Azure virtual machines
As an administrator, you want to have a high-level view of the number and type of virtual machines running in your Azure infrastructure.
Data required
Microsoft: Azure virtual machine data
Procedure
- Configure the Splunk Add-on for Microsoft Cloud Services.
- Run the following search. You can optimize it by specifying an index and adjusting the time range.
sourcetype="mscs:resource:virtualMachine"
|fillnull tags{} value="No Tags!"
|fillnull properties.instanceView.extensions{}.name value=""
|stats latest(power_state) BY vm_name, location, properties.storageProfile.imageReference.offer, properties.storageProfile.imageReference.sku ,vm_size, tags{}, properties.instanceView.extensions{}.name
|eval mem_capacity=(mem_capacity/1024/1024/1024)
|fields - count
|rename vm_name AS "VM Name" latest(power_state) AS Status vm_size AS Size properties.storageProfile.imageReference.offer AS OS properties.storageProfile.imageReference.sku AS Version mem_capacity AS "Memory GB" location_name AS Location cpu_cores AS CPU tags{} AS Tags properties.instanceView.extensions{}.name AS Extensions
Search explanation
The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.
| Splunk Search | Explanation |
|---|---|
|
sourcetype="mscs:resource:virtualMachine" |
Search only Azure virtual machine data. |
|
|fillnull tags{} value="No Tags!" |
Fill all null tag values with “No Tags!” |
|
|fillnull properties.instanceView.extensions{}.name value="" |
Fill all null extension values with an empty string. |
|
|stats latest(power_state) BY vm_name, location, properties.storageProfile.imageReference.offer, properties.storageProfile.imageReference.sku ,vm_size, tags{}, properties.instanceView.extensions{}.name |
Locate the most recent value for all relevant fields. |
|
|eval mem_capacity=(mem_capacity/1024/1024/1024) |
Calculate the memory capacity for all virtual machines. |
|
|fields - count |
Remove the count field from the results. |
|
|rename vm_name AS "VM Name" latest(power_state) AS Status vm_size AS Size properties.storageProfile.imageReference.offer AS OS properties.storageProfile.imageReference.sku AS Version mem_capacity AS "Memory GB" location_name AS Location cpu_cores AS CPU tags{} AS Tags properties.instanceView.extensions{}.name AS Extensions |
Rename the fields as shown for better readability. |
Next steps
Sample results for this search are shown in the table below. The status field can be an important item to monitor for cost saving reasons. A status of stopped (not shown below) indicates a VM that had the OS shut down or stopped, but the VM is still allocated and is costing money. Finding those and having the VM deallocated would be useful.
| VM Name | location | OS | Version | Size | Tags | Extensions | Status |
|---|---|---|---|---|---|---|---|
|
JaneDoeServer |
southcentralus |
WindowsServer |
2016-Datacenter |
Standard_B1s |
No Tags! |
running |
|
|
RYCRYpt0 |
australiasoutheast |
CentOS |
7.5 |
Standard_B1s |
Owner : RYCRYpt0 |
starting |
|
|
Ry-Win10 |
australiasoutheast |
Windows-10 |
rs5-pro |
Standard_D2 |
Owner : Ryan |
Microsoft.Insights.VMDiagnosticsSettings |
running |
|
Ry-Win10 |
australiasoutheast |
Windows-10 |
rs5-pro |
Standard_D2 |
Owner : Ryan |
MicrosoftMonitoringAgent |
running |
|
Ry-Win10 |
australiasoutheast |
Windows-10 |
rs5-pro |
Standard_D2 |
Purpose : P5 |
Microsoft.Insights.VMDiagnosticsSettings |
running |
You might also be interested in other processes associated with the Managing Azure cloud infrastructure use case.