[SetHandleInfoMaxTimeNow] definition = addinfo | eval info_max_time=if(info_max_time="+Infinity",now(),info_max_time) | eval _time=info_max_time [tstats] definition = tstats prestats=true local=false `summariesonly` [summariesonly] definition = summariesonly=true allow_old_summaries=true [process_inventory] definition = stats \ values("Inventory.filename") AS filename \ values("Inventory.fileattributes") AS fileattributes \ values("Inventory.Snapshots") AS Snapshots \ values("Inventory.type") AS type by _time, host, "Inventory.moid" \ | mvexpand fileattributes \ | eval fields=split(fileattributes,",") \ | eval filename=mvindex(fields,0) \ | addinfo \ | fields - _span\ | rename "Inventory.moid" as moid\ | mvexpand Snapshots \ | multilevelsnapshots Snapshots filename\ | eval filename=mvindex(fields,0) \ | eval filetype=mvindex(fields,1) \ | eval filesize=mvindex(fields,2) \ | rename filename as filename_merged, snapshot_name as ssname, snapshot_descr as ssdescr, snapshot_time as sstime, snapshot_state as ssstate, snapshot_depth as ssdepth\ | rex field=filename_merged "\[(?.*)\] (?.*)"\ | table _time, moid, type, host, filesize, filetype, filename, ssname, ssdescr, sstime, ssstate, ssdepth, info_max_time, filedatastore\ | sort 0 -_time\ | eval ssdepth=if(ssdepth==0, null(), ssdepth)\ | eval ssname=if(ssname=="N/A", null(), ssname)\ | eval ssdescr=if(ssdescr=="N/A", null(), ssdescr)\ | eval sstime=if(sstime=="N/A", null(), sstime)\ | eval ssstate=if(ssstate=="N/A", null(), ssstate)\ | stats first(ssname) AS snapshotName, first(ssdescr) AS snapshotDescr, first(sstime) AS snapshotTime, first(ssstate) AS snapshotState, first(ssdepth) AS snapshotDepth, first(filedatastore) AS filedatastore, first(filesize) AS filesize, first(filetype) AS filetype, max(info_max_time) AS info_max_time by _time, filename, host, moid \ | search filename="*.vmsn" OR filename="*.vmsd" OR filename="*.vmdk" \ | lookup FullHierarchy host, moid OUTPUT parent as hs, rp\ | lookup FullHierarchy host, moid as hs OUTPUT parent, parentType\ | eval ccr=if(parentType=="ClusterComputeResource", parent, "N/A")\ | fields - parent, parentType, info_max_time iseval = 0 [format_bytes(1)] args =bytes definition =if($bytes$>1073741824, tostring(round($bytes$/1073741824,2))+" GB", if($bytes$>1048576, tostring(round($bytes$/1048576,2))+" MB", if($bytes$>1024, tostring(round($bytes$/1024))+" KB", tostring($bytes$)+" Bytes"))) [BytesToGigaBytes(1)] args = bytes definition = tostring(round(($bytes$)/(1024*1024*1024), 2)) [VcLogSourcetypes] definition = `vmwarevclog-index` (sourcetype=vmware:vclog* OR sourcetype=vmware:vclicense) [nonroutableIP] definition = (ipAddress=10.0.0.0/8 OR ipAddress=172.16.0.0/16 OR ipAddress=192.168.0.0/24 OR ipAddress=127.0.0.1) [vmwareperf-metrics-index] definition = index=idx_m-tic_esxi [vmwareinv-index] definition = index=idx_m-tic_esxi [vmwaretaskevent-index] definition = index=idx_m-tic_esxi [vmwarevclog-index] definition = index=idx_m-tic_esxi [vmwareesxilog-index] definition = index=idx_m-tic_esxi [ontap-index] definition = index=idx_m-tic_esxi [HandleNavTimerange] definition = addinfo | eval info_max_time=if(info_max_time="+Infinity",now()+315569260,info_max_time) | where ((info_min_time > startTime) AND (info_min_time < endTime)) OR ((info_max_time > startTime) AND (info_max_time < endTime)) OR ((info_min_time < startTime) AND (info_max_time > startTime)) OR ((info_min_time < endTime) AND (info_max_time > endTime)) OR (((now() - 60) < info_max_time) AND (current == "true")) [HandleInfoMaxTime] definition = addinfo | eval info_max_time=if(info_max_time="+Infinity",now()+315569260,info_max_time) [HandleInfoMaxTimeNow] definition = addinfo | eval info_max_time=if(info_max_time="+Infinity",now(),info_max_time) [HandleFourHourWindowEndConditional] definition = [| stats count | `HandleInfoMaxTimeNow` | eval starttimeu=if(info_max_time-info_min_time < 14400, info_max_time-14400, info_min_time) | eval endtimeu=info_max_time | eval search=("latest=" + endtimeu + " earliest=" + starttimeu) | fields search]