Reporting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you get a report of machines that are VMs?

ShaunBaker
Path Finder
‎10-11-2018 05:35 PM

I've seen searches using _internal to identify OS, but is there a way to identify what clients are physical and which are VMs?

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎10-12-2018 01:10 AM

I'd typically get that kind of context from a CMDB and feed that into lookups in Splunk to enrich events with such information (e.g. through Enterprise Security's Asset&Identity framework).

Not sure if there is any way to tell the difference between a VM and a physical from logs. What logs are you collecting and do you have a UF on the respective machines?

0 Karma
Reply

ShaunBaker
Path Finder
‎10-16-2018 04:20 PM

I think pretty basic/standard sourcetypes for windows, application, system and security. There are a lot of different eventtype though, so I will dig around.

I do have a UF on the VMs in question.

Hoping to use Splunk to help with generating my CMDB haha.

0 Karma
Reply

FrankVl
Ultra Champion
‎10-17-2018 01:24 AM

Right, ok 🙂

Not sure whether you can see it in the logs (maybe check the system events close to startup or something, maybe that holds a clue).

Otherwise, it should be possible to use some commands to check the system type, which you could put into a scripted input. Maybe the windows TA even already contains some scripted / wmi inputs that enable you to find out.

0 Karma
Reply

ShaunBaker
Path Finder
‎10-26-2018 10:56 AM

So we have WMI working and I found a string that at least got me some VMs, but it required that the VM be a Windows VM, no joy on the linux side. Could probably add something to our Linux deployment-app to check for VMware tools. If I cast the net really wide there seems to be snippets of VM info in sourcetype WinHostMon, WindowsUpdateLog, and even eventype nix-all-logs- so hopefully I can whip something up that is accurate and clean.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...