Deploiement_Server/deployment-apps/TA-VMW-FieldExtractions/default/props.conf

# Copyright (C) 2005-2021 Splunk Inc. All Rights Reserved. 

[(?::){0}vmware*]
EVAL-app = "vmware" 
EVAL-vendor = "VMWare, Inc."

[vmware:perf:cpu]
KV_MODE = multi_tsv
FIELDALIAS-extract_cpu_perf = p_average_cpu_usagemhz_megaHertz as cpu_load_mhz, p_summation_cpu_run_millisecond as cpu_time, p_average_cpu_demand_megaHertz as cpu_demand
EVAL-cpu_allocation_percent = (p_average_cpu_reservedCapacity_megaHertz/p_average_cpu_totalCapacity_megaHertz)*100
EVAL-cpu_load_percent = if(instance="aggregated", p_average_cpu_usage_percent, null)

[vmware:perf:disk]
KV_MODE = multi_tsv
FIELDALIAS-extract_disk_perf = p_latest_disk_maxTotalLatency_millisecond  as latency, p_average_disk_deviceLatency_millisecond as storage_device_latency, p_average_disk_kernelLatency_millisecond as os_storage_latency, p_average_disk_queueLatency_millisecond as storage_queue_latency, p_average_disk_usage_kiloBytesPerSecond as storage_usage, p_latest_disk_maxTotalLatency_millisecond as highest_latency

[vmware:perf:mem]
KV_MODE = multi_tsv
FIELDALIAS-extract_memory_usage = p_average_mem_usage_percent as mem_usage_percent
EVAL-mem_used = p_average_mem_consumed_kiloBytes/1024
EVAL-mem_committed = p_average_mem_granted_kiloBytes/1024
EVAL-mem_free = p_average_mem_heapfree_kiloBytes/1024
EVAL-swap_used = p_average_mem_swapused_kiloBytes/1024
EVAL-mem = p_average_mem_totalCapacity_megaBytes
EVAL-mem_provisioned = p_average_mem_vmmemctl_kiloBytes*1024
EVAL-mem_reserved = p_average_mem_compressed_kiloBytes*1024
EVAL-mem_page_rate =(p_average_mem_swapinRate_kiloBytesPerSecond + p_average_mem_swapoutRate_kiloBytesPerSecond)/4

[vmware:perf:clusterServices]
KV_MODE = multi_tsv

[vmware:perf:datastore]
KV_MODE = multi_tsv
FIELDALIAS-extract_datastore_perf = instance as datastore_id, p_average_datastore_totalReadLatency_millisecond as read_latency, p_average_datastore_totalWriteLatency_millisecond as write_latency 
EVAL-storage_usage = p_average_datastore_read_kiloBytesPerSecond + p_average_datastore_write_kiloBytesPerSecond
EVAL-datastore_read_latency = if(source="VMPerf:HostSystem", p_average_datastore_totalReadLatency_millisecond, null)
EVAL-datastore_write_latency = if(source="VMPerf:HostSystem", p_average_datastore_totalWriteLatency_millisecond, null)
EVAL-storage_used_percent=(storage_committed/(storage_committed+storage_uncommitted))*100
EVAL-datastore_used_percent=((datastore_capacity-datastore_freespace)/datastore_capacity)*100

[vmware:perf:hbr]
KV_MODE = multi_tsv

[vmware:perf:managementAgent]
KV_MODE = multi_tsv

[vmware:perf:net]
KV_MODE = multi_tsv
FIELDALIAS-extract_network_perf = instance as nic_id, p_average_net_received_kiloBytesPerSecond as network_usage_in, p_average_net_transmitted_kiloBytesPerSecond as network_usage_out, p_summation_net_droppedRx_number as packets_dropped_in, p_summation_net_droppedTx_number as packets_dropped_out
EVAL-thruput = p_average_net_transmitted_kiloBytesPerSecond/1024
EVAL-network_usage = if(instance="aggregated", p_average_net_usage_kiloBytesPerSecond, null)

[vmware:perf:rescpu]
KV_MODE = multi_tsv

[vmware:perf:power]
KV_MODE = multi_tsv

[vmware:perf:storageAdapter]
KV_MODE = multi_tsv

[vmware:perf:storagePath]
KV_MODE = multi_tsv

[vmware:perf:sys]
KV_MODE = multi_tsv
FIELDALIAS-extract_sys_perf = p_latest_sys_uptime_second as uptime

[vmware:perf:vcDebugInfo]
KV_MODE = multi_tsv

[vmware:perf:vcResources]
KV_MODE = multi_tsv

[vmware:perf:virtualDisk]
KV_MODE = multi_tsv

[vmware:perf:vmop]
KV_MODE = multi_tsv

[vmware:perf:vflashModule]
KV_MODE = multi_tsv

[vmware:events]
FIELDALIAS-extract_vm_alert_change = eventClass as type, key as id, host as src, fullFormattedMessage as subject, host as dest, role.name as object, privilegeList{} as object_attrs, role.roleId as object_id, userName as user
EVAL-change_type = if(isnotnull(object), "role", "N/A")
EVAL-product = "SplunkForVmware"
EVAL-action = case(eventClass=="RoleRemovedEvent", "deleted", eventClass=="RoleAddedEvent", "created", eventClass=="RoleUpdatedEvent", "modified", 1==1, "unknown")
KV_MODE = json

[vmware:tasks]
KV_MODE = json

[vmware:inv:datastore]
KV_MODE = json
FIELDALIAS-extract_datastore_inv = changeSet.host.DatastoreHostMount.mountInfo{}.path as mount, changeSet.summary.url as root_url, changeSet.summary.type as root_volume_type, changeSet.summary.capacity as storage_capacity, changeSet.summary.accessible as accessible
EVAL-storage = $changeSet.info.vmfs.capacity$/1024 
EVAL-storage_free = $changeSet.info{}.freeSpace$/1024
EXTRACT-datastore_id = ds:\/\/\/vmfs\/volumes\/(?<datastore_id>.*?)\/[\"\n\s\t\b]?.*$ in datastore_url
EVAL-committed = $changeSet.summary.capacity$-$changeSet.summary.freeSpace$
EVAL-storage_free_space = coalesce($changeSet.summary.freeSpace$,$changeSet.summary{}.freeSpace$)
EVAL-uncommitted = coalesce($changeSet.summary.uncommitted$,$changeSet.summary{}.uncommitted$)
EVAL-root_path = coalesce($changeSet.info.vmfs.extent{}.diskName$,$changeSet.info.nas.remotePath$)

[vmware:inv:hostsystem]
KV_MODE = json
FIELDALIAS-extract_host_inv =  changeSet.summary.config.product.productLineId as family, changeSet.summary.config.product.vendor as vendor, changeSet.summary.config.product.licenseProductName as product, changeSet.summary.hardware.numCpuCores as cpu_cores, changeSet.summary.hardware.numCpuThreads as cpu_count, changeSet.summary.hardware.cpuMhz as cpu_mhz, changeSet.summary.config.product.osType as os, changeSet.summary.config.product.version as version, changeSet.name as dest, changeSet.config.hyperThread.config as hyperthreading, changeSet.summary.hardware.cpuModel as processor, changeSet.summary.hardware.numCpuThreads as logical_cpu_count, changeSet.summary.hardware.numNics as nic_count, changeSet.summary.hardware.numCpuPkgs as processor_socket_count, changeSet.summary.hardware.memorySize as mem_capacity, cluster.moid as cluster_id, cluster.name as cluster_name, datastores{}.accessible as accessible, datastores{}.name as datastore, changeSet.summary.config.product.osType as hypervisor_os, changeSet.summary.config.product.version as hypervisor_os_version, datacenter.name as datacenter
EVAL-enabled = isnotnull(moid) 
EVAL-mem = $changeSet.summary.hardware.memorySize$/1024
EVAL-vendor_product = vendor + "_" + product
REPORT-exctractdatastoreid = exctract_datastore_id

[vmware:inv:vm]
KV_MODE = json
FIELDALIAS-extract_vm_inv =  changeSet.storage.perDatastoreUsage{}.datastore.moid as mount, changeSet.guest.ipAddress as ip, changeSet.guest.net.GuestNicInfo{}.macAddress as mac, changeSet.guest.ipStack{}.dnsConfig.domainName as dns, changeSet.guest.toolsStatus as status, changeSet.guest.toolsVersion as tools_version, changeSet.snapshot.rootSnapshotList{}.name as snapshot, changeSet.snapshot.rootSnapshotList{}.description as description, changeSet.snapshot.rootSnapshotList{}.createTime as time, changeSet.summary.runtime.powerState as power_state, changeSet.config.guestFullName as vm_os, changeSet.config.hardware.numCoresPerSocket as cpu_cores, changeSet.config.datastoreUrl{}.name as datastore, changeSet.config.datastoreUrl{}.url as datastore_volume_path, changeSet.summary.runtime.host.uuid as hypervisor_id, changeSet.summary.runtime.host.name as hypervisor_name, changeSet.summary.storage.uncommitted as uncommitted, changeSet.summary.quickStats.uptimeSeconds as vm_uptime, datastores{}.accessible as accessible, changeSet.summary.storage.committed as committed, cluster.moid as cluster_id, cluster.name as cluster_name, changeSet.config.hardware.numCPU as logical_cpu_count
FIELDALIAS-extract_product_version = changeSet.config.guestFullName as product_version  
EVAL-storage_used = $changeSet.storage.perDatastoreUsage{}.committed$/1024
EVAL-storage_capacity = ($changeSet.summary.storage.uncommitted$ + $changeSet.summary.storage.committed$)
EVAL-mem_capacity = $changeSet.summary.config.memorySizeMB$*1024*1024
EVAL-vendor_product =  "VMWare, Inc." + "_" + 'changeSet.config.guestFullName'
REPORT-extractosversion = extract_os_version
REPORT-exctractdatastoreid = exctract_datastore_id

[vmware:inv:clustercomputeresource]
KV_MODE = json

[vmware:inv:hierarchy]
KV_MODE = json

[vmware:inv:resourcepool]
KV_MODE = json

[source::.../var/log/splunk/ta_vmware_hierarchy_agent*]
REPORT-hydraloggerfields = hydra_logger_fields

[source::VMPerf:HostSystem]
FIELDALIAS-hypervisor_id = uuid as hypervisor_id

[source::VMPerf:VirtualMachine]
FIELDALIAS-vm_id = uuid as vm_id

# Adding the below extraction stanzas in order to populate the Hydra troubleshooting dashboards and to remove SA-Hydra dependency from Search Head. Changes performed in VMW-6087

[source::.../var/log/splunk/hydra_scheduler*]
LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
SHOULD_LINEMERGE = false
REPORT-schedulerfields = hydra_scheduler_log_fields
sourcetype = hydra_scheduler

[source::.../var/log/splunk/hydra_worker*]
LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
SHOULD_LINEMERGE = false
REPORT-workerfields = hydra_worker_log_fields
sourcetype = hydra_worker

[source::.../var/log/splunk/hydra_gateway*]
LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
SHOULD_LINEMERGE = false
REPORT-gatewayfields = hydra_gateway_log_fields
sourcetype = hydra_gateway

[source::.../var/log/splunk/hydra_gatekeeper*]
LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
SHOULD_LINEMERGE = false
sourcetype = hydra_gatekeeper

[source::.../var/log/splunk/hydra_access*]
LINE_BREAKER = ([\r\n]+)\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
BREAK_ONLY_BEFORE = \d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d
SHOULD_LINEMERGE = false
REPORT-gatewayfields = hydra_access_log_fields
sourcetype = hydra_access