Hey folks,

I am using a VMware DCN (data collection node) to index all of my performance, event, and inventory data from our VMware environment. This is a standalone Splunk Enterprise instance running 6.6.2, not a virtual appliance.

I am working on a set of dashboards to lookup VMs, hypervisors, etc, and I'm seeing some weirdness in the data. I'm hoping someone can help me out, because my brain doesn't grok JSON and I have a helluva time with multivalue fields.

Here is the search I am running that gives some weirdness. I am specifically looking at

tag=virtualmachine tag=inventory tag=virtualization vm_name="*" 
| stats delim="," latest(vm_name) as vm_name, latest(storage_capacity) as storage_capacity, latest(mem_capacity) as mem_capacity, latest(processor_socket_count) as processor_socket_count, latest(cpu_cores) as cpu_cores, latest(logical_cpu_count) as logical_cpu_count, latest(power_state) as power_state, latest(vm_os) as vm_os, values(ip) as ip, values(datastore) as datastore, values(datastore_volume_path) as datastore_volume_path, latest(cluster_id) as cluster_id, latest(cluster_name) as cluster_name, latest(hypervisor_name) as hypervisor_name, by vm_id 
| eval storage_capacity=round(storage_capacity/1024/1024/1024) 
| eval mem_capacity=round(mem_capacity/1024/1024/1024) 
| eval hypervisor_name=upper(mvindex(split(hypervisor_name,"."),0))
| rename vm_id as "VM ID", vm_name as "VM Name", storage_capacity as "Storage Capacity (in GB)", mem_capacity as "Memory Capacity (in GB)", processor_socket_count as "CPU Socket Count", cpu_cores as "CPU Cores", logical_cpu_count as "Logical CPU Count", power_state as "Power State", vm_os as "VM Operating System", ip as "IP Address(es)", datastore as "Datastore(s)", datastore_volume_path as "Datastore Volume Path", hypervisor_name as "Found on Hypervisor", cluster_id as "Cluster ID", cluster_name as "Cluster Name"

Now, this appears to work, but I only get the last IP address for guests that have multiple IPs assigned. If I look at the event itself, I find the list of IP addresses for the guest in:

{   [-] 
   changeSet: { [-] 
     guest: {   [-] 
       disk: {  [+] 
       }    
       guestFamily: linuxGuest  
       guestFullName: Red Hat Enterprise Linux 7 (64-bit)   
       guestId: rhel7_64Guest   
       guestOperationsReady: True   
       guestState: running  
       hostName: hostname   
       ipAddress: just_one_of_the_ip_addresses
       ipStack: {   [+] 
       }    
       net: {   [-] 
         GuestNicInfo: [    [-] 
           {    [-] 
             connected: True    
             deviceConfigId: 4000   
             ipAddress: [   [-] 
               ip_address_1 
               ip_address_2 
               ip_address_3 
             ]  
             ipConfig: {    [+] 
             }  
             macAddress: 00:aa:bb:cc:dd:ee  
             network: myVLAN    
           }    
         ]  
       }    
...

My search is giving me the just_one_of_the_ip_addresses value, while I see the correct list of them in ip_address_1, _2, _3. But I have no idea how to access them and display the list of them.

Can someone help my brain wrap around the JSON + multivalue field thing?

Thank you!

Chris