Solved: What is a good way to compare all the VMs in a VMw...

lycollicott · ‎02-29-2016

First off, let me say that we do not have plans to purchase the VMware app.

I would like to be able to identify any VMs which do not have the Universal Forwarder installed and I considered having the VMware team routinely provide me with a get-vm output in CSV format to create a lookup, but that seems awfully manual and error prone.

Any ideas? It's Monday, I'm feeling lazy and I don't want to reinvent the wheel if I don't have to.

vasildavid · ‎02-29-2016

The get-vm CSV is probably the best way. You can use that as an inputlookup with a |metadata command to find systems that have not recently sent you data like so:

| inputlookup append=t vmware_hosts 
| fields nt_host 
| where NOT [| metadata index=vmware type=hosts earliest=-1d@d latest=now
             | where lastTime > relative_time(now(), "-1d@d") 
             |  rex field=host "(?<nt_host>[^\.]+)" 
             | fields nt_host]
| sort nt_host

edit: added "probably the best way".

View solution in original post

vasildavid · ‎02-29-2016

The get-vm CSV is probably the best way. You can use that as an inputlookup with a |metadata command to find systems that have not recently sent you data like so:

| inputlookup append=t vmware_hosts 
| fields nt_host 
| where NOT [| metadata index=vmware type=hosts earliest=-1d@d latest=now
             | where lastTime > relative_time(now(), "-1d@d") 
             |  rex field=host "(?<nt_host>[^\.]+)" 
             | fields nt_host]
| sort nt_host

edit: added "probably the best way".

What is a good way to compare all the VMs in a VMware vSphere with all of the universal forwarders I have installed?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases