One thing that I absolutely love about vRealize Network Insight (vRNI) is that the entire database is open by default and that the search bar is powered by Elastic Search. That means that you can type in pretty advanced search queries and basically query everything that vRNI collects. The query itself is written in natural language, so you don’t have to be an expert to use it. You can get really creative as well, getting output you would have a hard time seeing without using the search. To give you some examples, below you can find my cheatsheet with searches I use on a regular basis.

Index

Search Engine

Inside the natural language on the search bar, there’s an auto completion feature which lists (almost) all available keywords and content which you can use. There are a couple of keywords and operators which are good to know, which are listed below.

Keyword / Operator Description
where Create a limitation
Keyword = Where the keyword equals to
Keyword > Where the keyword is greater then (metrics)
Keyword < Where the keyword is smaller then (metrics)
Keyword >= Where the keyword is greater or equal then (metrics)
Keyword <= Where the keyword is smaller or equal then (metrics)
and Add multiple strict limitations (VM where Tag = ‘Web’ AND = ‘App’)
or Search for different limitations (VM where Name = ‘Web’ OR VM Name = ‘App’)
like
of Look for something related to something else (Datastores of VM ‘Web’)
max() Look for the maximum value (max(Memory Consumed) of VM)
sum() Show the sum of values (sum(Memory Consumed) of VMware VM where Host = ‘esxi01.lab’)

Search Queries

Virtual Machines

Get a list of VMs with a certain OS:
vm where Operating System = 'Microsoft Windows Server 2012 (64-bit)'

Look for VMs with a CPU ready rate higher than 1%
vm where CPU Ready Rate > 1%

List of VMs with a higher write latency of 5ms
vm where Write Latency > 5ms

List all VMs which have equal of greater then 2 snapshots
vm where Num Snapshots >= 2

Get an overview of all VMs and their: attached network, VLAN ID, IP address(es), default gateway & mac address(es)
L2 Network, vlan, ip address, default gateway, mac address of vms

List all VMs in a certain VLAN ID (Replace vlan with vxlan when using NSX).
vm where vlan = 20

List all VMs in a vSphere Distributed Portgroup
vm where Dvpg = 'Servers_VLAN20'

Find a VM based on a MAC address
00:50:56:ad:3f:94

ESXi Hosts

Show the different ESXi versions in the environment and how many hosts have that version
host group by OS

Quick graphical overview of the host performance
cpu, memory, disk of hosts

List each host and the amount of VMs they have
vm group by host

Get the hosts who do most network traffic
network rate of host order by Max Network Rate

Get the maximum utilised host
max(CPU Usage Rate), max(memory utilization) of Host

Network Traffic

Show all traffic that’s going to physical devices inside the datacenter
flows where Flow Type = 'VM-Physical' by bytes

Show the same thing as above, but show total amount in bytes:
sum(total bytes) of flow where Flow Type = 'VM-Physical'

Show all traffic going from internal to the internet
flows where Flow Type = 'Src is VM' and Flow Type = 'Dst is Internet' by bytes

Show total traffic (in bytes) amount that the VMs pulled down from the internet
sum(bytes) of flows where Flow Type = 'Src is Internet' and Flow type = 'Dst is VM'

In a dual datacenter setup, where you have two vCenters – show how much traffic is running between the two datacenters
sum(bytes) of flows where Dst Manager = 'vcenter-dc01.corp.local' and Source Manager = 'vcenter-dc02.corp.local'

Show the total amount of VXLAN traffic:
sum(bytes) of flows where Flow Type = 'Src is VTEP' or flow type = 'Dst is VTEP'

Show the amount of VXLAN traffic grouped per VTEP IP address (vmkernel port on the ESXi hosts)
sum(bytes) of flows where Flow Type = 'Src is VTEP' or flow type = 'Dst is VTEP' group by src ip

Show traffic totals grouped by IP address (top talkers)
sum(bytes) of flows group by src ip

Show traffic totals grouped by Port number (top talkers)
sum(bytes) of flows group by dst port

Show all traffic flows from application container Oracle to application container Webfrontend
flows where Source Application = 'Oracle' and Destination Application = 'Webfrontend'

Show all internet traffic flows to a specific country
flows where Destination Country = 'United States'

Network Information

Show routes of a specific NSX Edge (both ESG & DLR)
routes where vrf = 'TL-ESG-01'

Show a list of all networks (port groups) and count how many VMs are attached
vm group by l2 network

List all VMs impacted by a specific firewall rule
vm where Firewall Rule = 'Allow HTTP from internet'

List all VMs with a specific NSX Security Tag
vm where Security Tag = 'ST-Allow-PING'

Show firewalls rules where all service ports are allowed
firewall rule where Action = 'ALLOW' and Service Any = true

List NSX controllers and which VXLANs they are responsible for
controller of Vxlan group by controller

Show all routes which have a specified next hop
route where NextHop Router = '3TA-Edge01'

Micro-Segmentation Planning

Generate a report for all flows except for NFS traffic
plan flows where port.ianaPortDisplay != '2049 [nfs]'

Show report for all flows to a web tier and on port 80
plan flows where port.ianaPortDisplay = '80 [http]' and L2 Network = '3TA-Web'

Show report for all flows happening inside a specific AWS VPC
plan flows where AWS VPC = 'MyVPC'

Storage Information

Show all datastores with a higher write latency then 5ms
datastore where Write Latency > 5ms

List all datastores and their VM count
vm group by datastore

List all datastores with a higher usage percentage of 80%
datastore where Used Space Percent > 80%

List all datastores on a specific NAS
datastore where NAS Server Name = '10.9.0.10'

That’s it for now. Let me know if you have any other interesting searches I can add!



Share the wealth!

Leave a Reply

Your email address will not be published. Required fields are marked *