Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you get a report of machines that are VMs?

ShaunBaker
Path Finder
‎10-11-2018 05:35 PM

I've seen searches using _internal to identify OS, but is there a way to identify what clients are physical and which are VMs?

Tags (1)
0 Karma
Reply

FrankVl
Ultra Champion
‎10-12-2018 01:10 AM

I'd typically get that kind of context from a CMDB and feed that into lookups in Splunk to enrich events with such information (e.g. through Enterprise Security's Asset&Identity framework).

Not sure if there is any way to tell the difference between a VM and a physical from logs. What logs are you collecting and do you have a UF on the respective machines?

0 Karma
Reply

ShaunBaker
Path Finder
‎10-16-2018 04:20 PM

I think pretty basic/standard sourcetypes for windows, application, system and security. There are a lot of different eventtype though, so I will dig around.

I do have a UF on the VMs in question.

Hoping to use Splunk to help with generating my CMDB haha.

0 Karma
Reply

FrankVl
Ultra Champion
‎10-17-2018 01:24 AM

Right, ok 🙂

Not sure whether you can see it in the logs (maybe check the system events close to startup or something, maybe that holds a clue).

Otherwise, it should be possible to use some commands to check the system type, which you could put into a scripted input. Maybe the windows TA even already contains some scripted / wmi inputs that enable you to find out.

0 Karma
Reply

ShaunBaker
Path Finder
‎10-26-2018 10:56 AM

So we have WMI working and I found a string that at least got me some VMs, but it required that the VM be a Windows VM, no joy on the linux side. Could probably add something to our Linux deployment-app to check for VMware tools. If I cast the net really wide there seems to be snippets of VM info in sourcetype WinHostMon, WindowsUpdateLog, and even eventype nix-all-logs- so hopefully I can whip something up that is accurate and clean.

0 Karma
Reply
Get Updates on the Splunk Community!

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...