Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

What is a good way to compare all the VMs in a VMware vSphere with all of the universal forwarders I have installed?

lycollicott
Motivator
‎02-29-2016 10:50 AM

First off, let me say that we do not have plans to purchase the VMware app.

I would like to be able to identify any VMs which do not have the Universal Forwarder installed and I considered having the VMware team routinely provide me with a get-vm output in CSV format to create a lookup, but that seems awfully manual and error prone.

Any ideas? It's Monday, I'm feeling lazy and I don't want to reinvent the wheel if I don't have to.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

vasildavid
Path Finder
‎02-29-2016 10:55 AM

The get-vm CSV is probably the best way. You can use that as an inputlookup with a |metadata command to find systems that have not recently sent you data like so:

| inputlookup append=t vmware_hosts 
| fields nt_host 
| where NOT [| metadata index=vmware type=hosts earliest=-1d@d latest=now
             | where lastTime > relative_time(now(), "-1d@d") 
             |  rex field=host "(?<nt_host>[^\.]+)" 
             | fields nt_host]
| sort nt_host

edit: added "probably the best way".

View solution in original post

Reply
Solved! Jump to solution
Solution

vasildavid
Path Finder
‎02-29-2016 10:55 AM

The get-vm CSV is probably the best way. You can use that as an inputlookup with a |metadata command to find systems that have not recently sent you data like so:

| inputlookup append=t vmware_hosts 
| fields nt_host 
| where NOT [| metadata index=vmware type=hosts earliest=-1d@d latest=now
             | where lastTime > relative_time(now(), "-1d@d") 
             |  rex field=host "(?<nt_host>[^\.]+)" 
             | fields nt_host]
| sort nt_host

edit: added "probably the best way".

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...