Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is a good way to compare all the VMs in a VMware vSphere with all of the universal forwarders I have installed?

lycollicott
Motivator
‎02-29-2016 10:50 AM

First off, let me say that we do not have plans to purchase the VMware app.

I would like to be able to identify any VMs which do not have the Universal Forwarder installed and I considered having the VMware team routinely provide me with a get-vm output in CSV format to create a lookup, but that seems awfully manual and error prone.

Any ideas? It's Monday, I'm feeling lazy and I don't want to reinvent the wheel if I don't have to.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasildavid
Path Finder
‎02-29-2016 10:55 AM

The get-vm CSV is probably the best way. You can use that as an inputlookup with a |metadata command to find systems that have not recently sent you data like so:

| inputlookup append=t vmware_hosts 
| fields nt_host 
| where NOT [| metadata index=vmware type=hosts earliest=-1d@d latest=now
             | where lastTime > relative_time(now(), "-1d@d") 
             |  rex field=host "(?<nt_host>[^\.]+)" 
             | fields nt_host]
| sort nt_host

edit: added "probably the best way".

View solution in original post

Reply
Solved! Jump to solution
Solution

vasildavid
Path Finder
‎02-29-2016 10:55 AM

The get-vm CSV is probably the best way. You can use that as an inputlookup with a |metadata command to find systems that have not recently sent you data like so:

| inputlookup append=t vmware_hosts 
| fields nt_host 
| where NOT [| metadata index=vmware type=hosts earliest=-1d@d latest=now
             | where lastTime > relative_time(now(), "-1d@d") 
             |  rex field=host "(?<nt_host>[^\.]+)" 
             | fields nt_host]
| sort nt_host

edit: added "probably the best way".

Reply
Get Updates on the Splunk Community!

Tech Talk Recap | Mastering Threat Hunting

Mastering Threat HuntingDive into the world of threat hunting, exploring the key differences between ...

Observability for AI Applications: Troubleshooting Latency

If you’re working with proprietary company data, you’re probably going to have a locally hosted LLM or many ...

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...