VMWare APP Usage

matthewparry · ‎08-29-2012

Hi,

Is it possible to get a daily indexed total per ESX(Host) and VC rather than an indexed daily total for the entire vmware index?
The APP uses multiple indexes also, so it would need to take into consideration these?

Maybe something like:

index=_internal source=*license_usage.log type=Usage | eval MB=b/1024/1024 | timechart span=1d sum(MB) by h useother=false

ayme · ‎09-03-2012

I believe Tuxford's search is not 100% reliable because Splunk only logs the top few volume-generating hosts in the internal log.

Calculating the raw bytes of a message is often a good indicator:

index=vmware host=esxi* | eval bytes=len(_raw) | stats sum(bytes) as bytes by host | eval bytes/1024/1024

Although I believe meta data also counts towards indexing volume so the above search isn't 100% either (but likely to be close enough)

tuxford · ‎09-03-2012

Maybe this one can be tweaked to your needs?

index="_internal" source="*metrics.log" per_host_thruput series="*esxi*" OR series="*vc*" | eval MB=kb/1024 | chart sum(MB) by series

tuxford · ‎08-30-2012

If you go Status - Index activity - Indexing volume you can split by index, source, sourcetype and host.

VMWare APP Usage

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio