Splunk® App for VMware (Legacy)

User Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Reports

This topic describes the reports provided as knowledge objects in the Splunk App for VMware.

Memory reports

Report Name Description
Memory Ballooning by VC This report displays a time chart, split by hosts, showing memory ballooning for all the hosts over the selected time range. It also displays this data for each host as a table. You can see the amount of physical memory reclaimed by the host through VMware's ballooning driver. Frequent ballooning indicates a host in stress.
Memory Swapped by VC This report displays a time chart, split by hosts (vcenters), showing the amount of memory from a virtual machine that was swapped by the host. This indicates that a host is stressed and needs more memory.
Memory Usage by VC This report displays the percentage amount of memory used by the virtual machines in your environment.
Memory Utilization by Cluster This search shows memory usage for all clusters over time.
Average Memory Provisioning This search shows the average memory provisioning for all hosts.

Host System Reports

Report Name Description
Top Hosts with Ballooning A report that shows the top 10 Hosts with Memory Ballooning for all the hosts. The report uses the p_average_mem_vmmemctl_kiloBytes metric. It calculates the sum of all memory balloon driver (vmmemctl) values for all powered-on virtual machines.
Host System- Count by Status A report that displays host system status as chart and a table. You can visually see the high level status of your hosts. The report is based on the sourcetype vmware:inv:hostsystem.
Host System- Count by Free CPU A report that displays a count of host systems with free cpu. You can visually see the high level status and drill down for individual details for each host system. The reports is based on the source type vmware:inv:hostsystem.
Host System- Count by Available Memory A report that displays a count of host systems by available memory. You can visually see the high level status and drill down for individual details for each host system. The reports is based on the source type vmware:inv:hostsystem.
Host System- Count by Total Processing The report displays a count of the host systems by total cpu usage for the hosts. This is the total actively used cpu (in MHz). The reports is based on the source type vmware:inv:hostsystem.
Host System- Count by Total Memory The report displays a count of the host systems by total memory usage for the hosts (in MB). The reports is based on the source type vmware:inv:hostsystem.
Host System- Count by Manufacturer The report displays a count of the host systems by hardware vendor. The reports is based on the source type vmware:inv:hostsystem.
Host System- Count by Model The report displays a count of the host systems by hardware model. The reports is based on the source type vmware:inv:hostsystem.
Host System- Count by Number of NICs The report displays a count of the host systems by network interface controllers (NICs). The report is based on the source type vmware:inv:hostsystem.
Host System- Count by Hyperthreading The report displays a count of the host systems that use hyper threading. You can see if Hyperthreading is enabled or inactive. The reports is based on the source type vmware:inv:hostsystem.
Host System- Count by CPU Cores The report displays a count of the host systems by cpu cores. The reports is based on the source type vmware:inv:hostsystem.
Host System- Count by Processor Type The report displays a count of the host systems by the type of processor they use. The report is based on the source type vmware:inv:hostsystem.
Host System- Count by ProcessorSockets This report displays a count of the number of cpu sockets on the hosts. This number is calculated using the number of physical CPU packages (numCpuPkgs) on the host. The report is based on the source type vmware:inv:hostsystem.
Host System- Count by Cores per Socket The report displays a count of host systems by cpu cores per socket. The report is based on the source type vmware:inv:hostsystem.
Host System- Count by Logical Processors The report displays a count of host systems by logical cores that run on them. Hyperthreading is used to share the workload between them. The report is based on the source type vmware:inv:hostsystem.

Virtual Machine Reports

Report Name Description
Snapshots older than 14 days This search shows all snapshots taken that are older than 14 days. You can see the details for each snapshot such as the file name, the host, when it was created, the size of the snapshot, and so on.
Top 5 Migrated VMs This chart shows the top five virtual machines that migrated across all hosts.
Top OSs This chart shows the top 10 operating systems installed on the virtual machines across all of the hosts in your environment.
OS Installed on VMs This chart shows the various operating systems and the associated operating system versions (if available) that are running on the virtual machines.
Virtual Machine- Count by Tools Status This chart shows the status of VMware Tools running in your environment, for all of the the virtual machines in your environment. The status can be "VM tools not installed", "VM tools old", and "VM tools installed", "VM tools ok", "VM tools not running", and "Not available".
Virtual Machine- Count by cores This is a count by virtual machine of the number of virtual CPUs (vCPU) in a virtual machine. vCPUs in the VMware environment appear to the operating system as single core CPUs.
Virtual Machine - Count by Memory Usage Severity This chart displays a total count for all virtual machines of memory usage severity. The severity levels are critical, normal, and warning. You can drill down on the severity levels to see the details of the machines and the threshold set for that severity level for that metric (average_mem_usage_percent).
Virtual Machine - Count by Disk Usage Severity This chart displays a count of virtual machines for their disk usage severity. The search is based on the average_disk_usage_kiloBytesPerSecond metric and it's looking for a threshold severity "unchecked". Drill down from the chart to see details for each virtual machine.
VMs With Old or No Tools This search result shows all of the virtual machines in your environment that that have an old version of VMware Tools installed and those that do not have VMware Tools installed.
Total VM Migrations This chart displays the total number of virtual machines that migrated across all of the hosts in your environment. Drill down on the Total Migrations count to get a list of all migrated virtual machines.
Powered Off VMs This search produces a list of all virtual machines that were powered off. The sourcetype="vmware:inv:vm" is used in the report.
Max Disk Latency per VM This is the maximum disk latency per virtual machine for all of the hosts in your environment. The latency severity is broken down into critical, normal, and warning. Drill down on the severity level to get more details. The metric latest_disk_maxTotalLatency_millisecond is used to determine severity.

Security reports

Report Name Description
Vmware Security changes A report that shows changes to user roles on the host systems in your environment. The source type vmware:events must be present.

User activity reports

Report Name Description
Per-Panel Filtering - Activity By User Over Time A report that displays user activity over the time range specified.
Per-Panel Filtering - Recent Activity A report that displays recent user activity.
Per-Panel Filtering - Top Users A report that shows the most frequent users.

Reports on critical status

Report Name Description
Critical CPU Ready A report that displays all of the virtual machines that reached the critical threshold set for cpu ready for all of the virtual centers. CPU ready reports on the amount of time (in milliseconds) that a virtual machine waited for cpu cycles. The report uses the p_summation_cpu_ready_millisecond metric.
Critical CPU Usage A report that displays all of the virtual machines with critical CPU usage for all of the virtual centers in your environment. The report uses the p_average_cpu_usage_percent metric.
Critical Disk Usage A report that displays all of the virtual machines with critical disk usage for all of the hosts in your environment. The report uses the p_average_disk_usage_kiloBytesPerSecond metric.
Critical Mem Usage A report that displays all of the virtual machines with critical memory usage for all the virtual centers in your environment. The report uses the p_average_mem_usage_percent metric.

CPU reports

Report Name Description
Average VM CPU Ready The virtual machine CPU Ready state for all of the hosts. It uses the p_summation_cpu_ready_millisecond metric.
CPU Ready by VC This report displays a timechart for CPU Ready for all of the hosts. It uses the p_summation_cpu_ready_millisecond metric.
CPU Usage by Cluster This report displays the CPU usage by cluster for all of the virtual centers in your environment. It uses the p_average_cpu_usage_percent metric.
CPU Usage by VC This report displays the CPU usage by each virtual center for the selected time. It uses the p_average_cpu_usage_percent metric.
Average CPU Utilization This report displays the average CPU usage as a percent and a count for the state of the critical, warning, and normal threshold severity levels. It uses the p_average_cpu_usage_percent metric.

Storage/network error Reports

Report Name Description
All paths are dead The All Paths Down (APD) state occurs when a storage device is removed from an ESX/i host in an uncontrolled manner (administrative error or device failure). This condition can affect task execution on a host as the host processes can wait for a device to return and there is no certainty that it will return. The search uses the sourcetype vmware:*log:*.
SCSI reservation error - i/o failed This search shows virtual machines that experience I/O failures due to too many SCSI reservation conflicts. The search uses the sourcetype "vmware:*log*".
Lost connectivity VMware vSphere logs an alert that contains ' Configuration Issue' when it loses connectivity to a device. The search uses the sourcetype vmware:*log:*.
Duplicate IPs An error messages indicates that a duplicate IP address exists. Search VMware ESX/i logs for the string "duplicate IP". The sourcetype vmware:esx*:* is used in the search.
Datastore Free Space state This chart shows the severity level associated with the free space capacity on the data store. The source type vmware:inv:datastore is used. The metric RemainingCapacity_GB is used. Drill down on the threshold severity to see more details such as the capacity of the data store, the amount of free space, the name of the data store, the threshold critical level, and more.

Alarm reports

Report Name Description
Alarms This search shows alarms from all of the virtual centers in your environment. Click on the alarm to drill down to more details. The sourcetype vmware:events is used in the search.
Last modified on 03 October, 2016
Common use cases  

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters