Splunk App for VMware: How to edit my search to li...

saurabhkunte · ‎04-03-2015

Hello,

Hoping one of you can help me figure out what is wrong with the following query i am building in the Splunk App for VMware.

Working Search: this lists me MOIDs with their avg memory usage over a period of time.

(sourcetype="vmware:perf:mem" source="VMPerf:VirtualMachine") OR (sourcetype="vmware:inv:vm" changeSet.name=*) | eval detect = if(p_average_mem_usage_percent < 25.00, "UsageLessThan25%", if(p_average_mem_usage_percent > 80.00, "UsageGreaterThan80%", "normal")) | stats first(detect) as "Memory Usage" by moid

However, I would like to show this stats against the VM Name. Modified search that does not work :

(sourcetype="vmware:perf:mem" source="VMPerf:VirtualMachine") OR (sourcetype="vmware:inv:vm" changeSet.name=*) | eval detect = if(p_average_mem_usage_percent < 25.00, "UsageLessThan25%", if(p_average_mem_usage_percent > 80.00, "UsageGreaterThan80%", "normal")) | stats first(detect) as "Memory Usage" by changeSet.name.

This query lists all the VMs as having normal avg which is not correct. Would appreciate if anyone can help me correct the above query. Many thanks

ansif · ‎02-14-2018

This is very old question still someone can look into it:

index="vmware-inv" sourcetype="vmware:inv:vm" | join vm_id [ search (sourcetype="vmware:perf:mem" source="VMPerf:VirtualMachine") ]| table vm_name p_average_mem_usage_percent

Splunk App for VMware: How to edit my search to list MOIDs with their avg memory usage over time against the VM Name?

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...