Splunk Add-on for VMware: How to find the VMware U...

clemep8 · ‎03-06-2017

So, I'm working on a Splunk query to pull all VMs with cpu average over X% using the Splunk Add-on for VMware (querying index vmware-perf). When I pull the data via a query (using python SDK, but Splunk Web gives the same query results) I get some json like this:

{
    "_bkt": "vmware-perf~1~9918771B-2908-4435-85EC-79F3D5C8FACF", 
    "_cd": "1:2083700", 
    "_indextime": "1488842378", 
    "_kv": "1", 
    "_mkv_child": "0", 
    "_raw": "vm-11968\t5016e352-7453-ff10-ea20-2f7e29d8cd98\taggregated\t20\t3\t0\t3\t0\t20030\t24\t0\t1\t0.07\t0\t18\t0.0\t19973\t6\t0.22\t4035", 
    "_serial": "2", 
    "_si": [
        "vmware-perf"
    ], 
    "_sourcetype": "vmware:perf:cpu", 
    "_subsecond": ".0", 
    "_time": "2017-03-06T18:19:20.000-05:00", 
    "fields": "vm-11968", 
    "host": "hadron", 
    "index": "vmware-perf", 
    "instance": "aggregated", 
    "linecount": "1", 
    "moid": "vm-11968", 
    "p_average_cpu_demand_megaHertz": "3", 
    "p_average_cpu_latency_percent": "0.07", 
    "p_average_cpu_usage_percent": "0.22", 
    "punct": "ttttttttttttttttttt-t----ttttttttttt.ttt.ttt.t-t--", 
    "samp_int": "20", 
    "source": "VMPerf:VirtualMachine", 
    "sourcetype": "vmware:perf:cpu", 
    "timestamp": "none", 
    "uuid": "5016e352-7453-ff10-ea20-2f7e29d8cd98"
}

The problem is that the UUID above is not the same one as when I check via the vSphere client. That host's VM UUIDs all start like "4216...".

So what is the UUID above, if not a VMware UUID? Any idea how to get the real VMware VM UUID from a splunk query?

Thanks

bparekh_splunk · ‎06-14-2017

if you run the query index="vmware-inv" , You will get UUID from changeSet.config.uuid field.

Splunk Add-on for VMware: How to find the VMware UUID of a VM in Splunk?