Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

total vm's in esxi server

dall
Path Finder
‎09-22-2020 11:44 PM

i have extracted from logs how many are running but not able to write query for how many are present in server.

can anyone help on this???

Labels (1)
Labels
0 Karma
Reply

dall
Path Finder
‎09-23-2020 03:24 AM

 

 i have tried this but wrong result getting

index=" " host=" " | rex "\/[^\/]*\/[^\/]*\/[^\/]*\/(?<VMX>[^\.]*)\.vmx"| rex "(?<VMX>[^\/]+)\.vmx" | stats count by VMX | fields - count | stats count

 

i want to extract how many vm's are present and how many running and stopped status of vm

 my events are like this

[Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5c29d53f-db838d67-eceb-64006a7385ee/windows10_test_PT/windows10_test_PT.vmx] CacheDatastores: fileBacking [] /windows.iso has null datastore reference <13>Injector: Sleeping!

 

[Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5c29d53f-db838d67-eceb-64006a7385ee/windows10_test_PT/windows10_test_PT.vmx] Send config update invoked

[Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b644667-2570bf2b-f8b4-a0369fe19fa4/packer_ubuntu20/packer_ubuntu20.vmx] Send config update invoked

 

[Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b644667-2570bf2b-f8b4-a0369fe19fa4/Ansible/Ansible.vmx opID=f8c92b55 user=root] State Transition (VM_STATE_SETTING_SCREEN_RES -> VM_STATE_ON)

[Originator@6876 sub=Vmsvc.vm:/vmfs/volumes/5b644667-2570bf2b-f8b4-a0369fe19fa4/Ansible/Ansible.vmx opID=f8c92b55 user=root] State Transition (VM_STATE_SETTING_SCREEN_RES -> VM_STATE_ON)

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 04:09 AM

The second rex effectively overwrites the first. What this appears to be doing is counting the distinct VMs by assuming they are uniquely identified by whatever is between the last / and the .vmx

-- your search
| rex "(?<VMX>[^\/]+)\.vmx" | stats dc(VMX)

Is this what you intended? 

Also, for the second part, what events in the log tell you whether the vm is running or stopped?

0 Karma
Reply

dall
Path Finder
‎09-23-2020 04:48 AM

i have 4 sourcetype and each sourcetype i have extracted vm name but in query while using all sourcetype only 1st sourctype result of vm showing 

how i can use all sourcetype and list all vm's

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 05:04 AM

How are you including all source types in your search?

index=* sourcetype=A OR sourcetype=B OR sourcetype=C OR sourcetype=D

Note that you have to use capitals for "OR" not "or"

0 Karma
Reply

dall
Path Finder
‎09-23-2020 05:15 AM

yes like this only i used but only 1st sourcetype result showing

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 05:24 AM

Can you share your full query?

0 Karma
Reply

dall
Path Finder
‎09-23-2020 05:44 AM

 

index=* sourcetype=A OR sourcetype=B OR sourcetype=C OR sourcetype=D | stats count by VMName

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 05:49 AM

This is missing the rex - try

index=* sourcetype=A OR sourcetype=B OR sourcetype=C OR sourcetype=D 
| rex "(?<VMName>[^\/]+)\.vmx" 
| stats dc(VMName)

 

0 Karma
Reply

dall
Path Finder
‎09-23-2020 06:18 AM

from 2 server i am getting correct result but for 3rd server i am running same query but not getting correct result

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 06:31 AM

Sounds like you have found your problem - what is different about server 3 or at least the logs you receive from it?

0 Karma
Reply

dall
Path Finder
‎09-23-2020 06:47 AM

yes, how i ll get that in each server how many vm's are present

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 06:54 AM

How do you know which log message comes from which server?

0 Karma
Reply

dall
Path Finder
‎09-23-2020 09:41 AM

index=" " ".vmx" there that one is showing  how many sourcetype and each sourcetype i am checking events 

is there any other way ??

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 10:50 AM

I am not sure I understand - is each sourcetype a different server and you want the count of VM for each sourcetype?

index=* sourcetype=A OR sourcetype=B OR sourcetype=C OR sourcetype=D 
| rex "(?<VMName>[^\/]+)\.vmx" 
| stats dc(VMName) by sourcetype
0 Karma
Reply

dall
Path Finder
‎09-23-2020 11:38 PM

not getting correct result

is there any condition i have to apply to know which are running and which are stopped??

0 Karma
Reply

dall
Path Finder
‎09-23-2020 09:52 PM

3 server with multiple sourcetype but only 4 sourcetype of each server vmname is present..so by extracting those vmname i am showing but only running vm showing 

how i can show total vm's which are present in each server??

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 11:56 PM 
index=* sourcetype=A OR sourcetype=B OR sourcetype=C OR sourcetype=D 
| rex "(?<VMName>[^\/]+)\.vmx" 
| stats dc(VMName) by sourcetype, host

Hopefully, the indexers/forwarders will have added a field called host to indicate where the log originated.

0 Karma
Reply

dall
Path Finder
‎09-24-2020 12:04 AM

sorry, this is not what i am expecting

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-24-2020 12:12 AM

Then you have to explain how you identify which server the events are coming from

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎09-23-2020 12:08 AM

Can you provide example log events and show what you already have tried?

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...