# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved. [(?::){0}vmware*] EVAL-app = "vmware" EVAL-vendor = "VMWare, Inc." [vmware:perf:cpu] KV_MODE = multi_tsv FIELDALIAS-extract_cpu_perf = p_average_cpu_usagemhz_megaHertz as cpu_load_mhz, p_summation_cpu_run_millisecond as cpu_time, p_average_cpu_demand_megaHertz as cpu_demand EVAL-cpu_allocation_percent = (p_average_cpu_reservedCapacity_megaHertz/p_average_cpu_totalCapacity_megaHertz)*100 EVAL-cpu_load_percent = if(instance="aggregated", p_average_cpu_usage_percent, null) [vmware:perf:disk] KV_MODE = multi_tsv FIELDALIAS-extract_disk_perf = p_latest_disk_maxTotalLatency_millisecond as latency, p_average_disk_deviceLatency_millisecond as storage_device_latency, p_average_disk_kernelLatency_millisecond as os_storage_latency, p_average_disk_queueLatency_millisecond as storage_queue_latency, p_average_disk_usage_kiloBytesPerSecond as storage_usage, p_latest_disk_maxTotalLatency_millisecond as highest_latency [vmware:perf:mem] KV_MODE = multi_tsv FIELDALIAS-extract_memory_usage = p_average_mem_usage_percent as mem_usage_percent EVAL-mem_used = p_average_mem_consumed_kiloBytes/1024 EVAL-mem_committed = p_average_mem_granted_kiloBytes/1024 EVAL-mem_free = p_average_mem_heapfree_kiloBytes/1024 EVAL-swap_used = p_average_mem_swapused_kiloBytes/1024 EVAL-mem = p_average_mem_totalCapacity_megaBytes EVAL-mem_provisioned = p_average_mem_vmmemctl_kiloBytes*1024 EVAL-mem_reserved = p_average_mem_compressed_kiloBytes*1024 EVAL-mem_page_rate =(p_average_mem_swapinRate_kiloBytesPerSecond + p_average_mem_swapoutRate_kiloBytesPerSecond)/4 [vmware:perf:clusterServices] KV_MODE = multi_tsv [vmware:perf:datastore] KV_MODE = multi_tsv FIELDALIAS-extract_datastore_perf = instance as datastore_id, p_average_datastore_totalReadLatency_millisecond as read_latency, p_average_datastore_totalWriteLatency_millisecond as write_latency EVAL-storage_usage = p_average_datastore_read_kiloBytesPerSecond + p_average_datastore_write_kiloBytesPerSecond EVAL-datastore_read_latency = if(source="VMPerf:HostSystem", p_average_datastore_totalReadLatency_millisecond, null) EVAL-datastore_write_latency = if(source="VMPerf:HostSystem", p_average_datastore_totalWriteLatency_millisecond, null) EVAL-storage_used_percent=(storage_committed/(storage_committed+storage_uncommitted))*100 EVAL-datastore_used_percent=((datastore_capacity-datastore_freespace)/datastore_capacity)*100 [vmware:perf:hbr] KV_MODE = multi_tsv [vmware:perf:managementAgent] KV_MODE = multi_tsv [vmware:perf:net] KV_MODE = multi_tsv FIELDALIAS-extract_network_perf = instance as nic_id, p_average_net_received_kiloBytesPerSecond as network_usage_in, p_average_net_transmitted_kiloBytesPerSecond as network_usage_out, p_summation_net_droppedRx_number as packets_dropped_in, p_summation_net_droppedTx_number as packets_dropped_out EVAL-thruput = p_average_net_transmitted_kiloBytesPerSecond/1024 EVAL-network_usage = if(instance="aggregated", p_average_net_usage_kiloBytesPerSecond, null) [vmware:perf:rescpu] KV_MODE = multi_tsv [vmware:perf:power] KV_MODE = multi_tsv [vmware:perf:storageAdapter] KV_MODE = multi_tsv [vmware:perf:storagePath] KV_MODE = multi_tsv [vmware:perf:sys] KV_MODE = multi_tsv FIELDALIAS-extract_sys_perf = p_latest_sys_uptime_second as uptime [vmware:perf:vcDebugInfo] KV_MODE = multi_tsv [vmware:perf:vcResources] KV_MODE = multi_tsv [vmware:perf:virtualDisk] KV_MODE = multi_tsv [vmware:perf:vmop] KV_MODE = multi_tsv [vmware:perf:vflashModule] KV_MODE = multi_tsv [vmware:events] FIELDALIAS-extract_vm_alert_change = eventClass as type, key as id, host as src, fullFormattedMessage as subject, host as dest, role.name as object, privilegeList{} as object_attrs, role.roleId as object_id, userName as user EVAL-change_type = if(isnotnull(object), "role", "N/A") EVAL-product = "SplunkForVmware" EVAL-action = case(eventClass=="RoleRemovedEvent", "deleted", eventClass=="RoleAddedEvent", "created", eventClass=="RoleUpdatedEvent", "modified", 1==1, "unknown") KV_MODE = json [vmware:tasks] KV_MODE = json [vmware:inv:datastore] KV_MODE = json FIELDALIAS-extract_datastore_inv = changeSet.host.DatastoreHostMount.mountInfo{}.path as mount, changeSet.summary.url as root_url, changeSet.summary.type as root_volume_type, changeSet.summary.capacity as storage_capacity, changeSet.summary.accessible as accessible EVAL-storage = $changeSet.info.vmfs.capacity$/1024 EVAL-storage_free = $changeSet.info{}.freeSpace$/1024 EXTRACT-datastore_id = ds:\/\/\/vmfs\/volumes\/(?.*?)\/[\"\n\s\t\b]?.*$ in datastore_url EVAL-committed = $changeSet.summary.capacity$-$changeSet.summary.freeSpace$ EVAL-storage_free_space = coalesce($changeSet.summary.freeSpace$,$changeSet.summary{}.freeSpace$) EVAL-uncommitted = coalesce($changeSet.summary.uncommitted$,$changeSet.summary{}.uncommitted$) EVAL-root_path = coalesce($changeSet.info.vmfs.extent{}.diskName$,$changeSet.info.nas.remotePath$) [vmware:inv:hostsystem] KV_MODE = json FIELDALIAS-extract_host_inv = changeSet.summary.config.product.productLineId as family, changeSet.summary.config.product.vendor as vendor, changeSet.summary.config.product.licenseProductName as product, changeSet.summary.hardware.numCpuCores as cpu_cores, changeSet.summary.hardware.numCpuThreads as cpu_count, changeSet.summary.hardware.cpuMhz as cpu_mhz, changeSet.summary.config.product.osType as os, changeSet.summary.config.product.version as version, changeSet.name as dest, changeSet.config.hyperThread.config as hyperthreading, changeSet.summary.hardware.cpuModel as processor, changeSet.summary.hardware.numCpuThreads as logical_cpu_count, changeSet.summary.hardware.numNics as nic_count, changeSet.summary.hardware.numCpuPkgs as processor_socket_count, changeSet.summary.hardware.memorySize as mem_capacity, cluster.moid as cluster_id, cluster.name as cluster_name, datastores{}.accessible as accessible, datastores{}.name as datastore, changeSet.summary.config.product.osType as hypervisor_os, changeSet.summary.config.product.version as hypervisor_os_version, datacenter.name as datacenter EVAL-enabled = isnotnull(moid) EVAL-mem = $changeSet.summary.hardware.memorySize$/1024 EVAL-vendor_product = vendor + "_" + product REPORT-exctractdatastoreid = exctract_datastore_id [vmware:inv:vm] KV_MODE = json FIELDALIAS-extract_vm_inv = changeSet.storage.perDatastoreUsage{}.datastore.moid as mount, changeSet.guest.ipAddress as ip, changeSet.guest.net.GuestNicInfo{}.macAddress as mac, changeSet.guest.ipStack{}.dnsConfig.domainName as dns, changeSet.guest.toolsStatus as status, changeSet.guest.toolsVersion as tools_version, changeSet.snapshot.rootSnapshotList{}.name as snapshot, changeSet.snapshot.rootSnapshotList{}.description as description, changeSet.snapshot.rootSnapshotList{}.createTime as time, changeSet.summary.runtime.powerState as power_state, changeSet.config.guestFullName as vm_os, changeSet.config.hardware.numCoresPerSocket as cpu_cores, changeSet.config.datastoreUrl{}.name as datastore, changeSet.config.datastoreUrl{}.url as datastore_volume_path, changeSet.summary.runtime.host.uuid as hypervisor_id, changeSet.summary.runtime.host.name as hypervisor_name, changeSet.summary.storage.uncommitted as uncommitted, changeSet.summary.quickStats.uptimeSeconds as vm_uptime, datastores{}.accessible as accessible, changeSet.summary.storage.committed as committed, cluster.moid as cluster_id, cluster.name as cluster_name, changeSet.config.hardware.numCPU as logical_cpu_count FIELDALIAS-extract_product_version = changeSet.config.guestFullName as product_version EVAL-storage_used = $changeSet.storage.perDatastoreUsage{}.committed$/1024 EVAL-storage_capacity = ($changeSet.summary.storage.uncommitted$ + $changeSet.summary.storage.committed$) EVAL-mem_capacity = $changeSet.summary.config.memorySizeMB$*1024*1024 EVAL-vendor_product = "VMWare, Inc." + "_" + 'changeSet.config.guestFullName' REPORT-extractosversion = extract_os_version REPORT-exctractdatastoreid = exctract_datastore_id [vmware:inv:clustercomputeresource] KV_MODE = json [vmware:inv:hierarchy] KV_MODE = json [vmware:inv:resourcepool] KV_MODE = json [source::.../var/log/splunk/ta_vmware_hierarchy_agent*] REPORT-hydraloggerfields = hydra_logger_fields [source::VMPerf:HostSystem] FIELDALIAS-hypervisor_id = uuid as hypervisor_id [source::VMPerf:VirtualMachine] FIELDALIAS-vm_id = uuid as vm_id # Adding the below extraction stanzas in order to populate the Hydra troubleshooting dashboards and to remove SA-Hydra dependency from Search Head. Changes performed in VMW-6087 [source::.../var/log/splunk/hydra_scheduler*] LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d SHOULD_LINEMERGE = false REPORT-schedulerfields = hydra_scheduler_log_fields sourcetype = hydra_scheduler [source::.../var/log/splunk/hydra_worker*] LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d SHOULD_LINEMERGE = false REPORT-workerfields = hydra_worker_log_fields sourcetype = hydra_worker [source::.../var/log/splunk/hydra_gateway*] LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d SHOULD_LINEMERGE = false REPORT-gatewayfields = hydra_gateway_log_fields sourcetype = hydra_gateway [source::.../var/log/splunk/hydra_gatekeeper*] LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d SHOULD_LINEMERGE = false sourcetype = hydra_gatekeeper [source::.../var/log/splunk/hydra_access*] LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d SHOULD_LINEMERGE = false REPORT-gatewayfields = hydra_access_log_fields sourcetype = hydra_access