vRealize Network Insight Search Cheatsheet
One thing that I absolutely love about vRealize Network Insight (vRNI) is that the entire database is open by default and that the search bar is powered by Elastic Search. That means that you can type in pretty advanced search queries and basically query everything that vRNI collects. The query itself is written in natural language, so you don’t have to be an expert to use it. You can get really creative as well, getting output you would have a hard time seeing without using the search. To give you some examples, below you can find my cheatsheet with searches I use on a regular basis.
Index
Search Engine
Inside the natural language on the search bar, there’s an auto completion feature which lists (almost) all available keywords and content which you can use. There are a couple of keywords and operators which are good to know, which are listed below.
| Keyword / Operator | Description |
|---|---|
| where | Create a limitation |
| Keyword = | Where the keyword equals to |
| Keyword > | Where the keyword is greater then (metrics) |
| Keyword < | Where the keyword is smaller then (metrics) |
| Keyword >= | Where the keyword is greater or equal then (metrics) |
| Keyword <= | Where the keyword is smaller or equal then (metrics) |
| and | Add multiple strict limitations (VM where Tag = ‘Web’ AND = ‘App’) |
| or | Search for different limitations (VM where Name = ‘Web’ OR VM Name = ‘App’) |
| like | |
| of | Look for something related to something else (Datastores of VM ‘Web’) |
| max() | Look for the maximum value (max(Memory Consumed) of VM) |
| sum() | Show the sum of values (sum(Memory Consumed) of VMware VM where Host = ‘esxi01.lab’) |
Search Queries
Virtual Machines
Get a list of VMs with a certain OS: vm where Operating System = 'Microsoft Windows Server 2012 (64-bit)'
Look for VMs with a CPU ready rate higher than 1% vm where CPU Ready Rate > 1%
List of VMs with a higher write latency of 5ms vm where Write Latency > 5ms
List all VMs which have equal of greater then 2 snapshots vm where Num Snapshots >= 2
Get an overview of all VMs and their: attached network, VLAN ID, IP address(es), default gateway & mac address(es) L2 Network, vlan, ip address, default gateway, mac address of vms
List all VMs in a certain VLAN ID (Replace vlan with vxlan when using NSX). vm where vlan = 20
List all VMs in a vSphere Distributed Portgroup vm where Dvpg = 'Servers_VLAN20'
Find a VM based on a MAC address 00:50:56:ad:3f:94
ESXi Hosts
Show the different ESXi versions in the environment and how many hosts have that version host group by OS
Quick graphical overview of the host performance cpu, memory, disk of hosts
List each host and the amount of VMs they have vm group by host
Get the hosts who do most network traffic network rate of host order by Max Network Rate
Get the maximum utilised host max(CPU Usage Rate), max(memory utilization) of Host
Network Traffic
Show all traffic that’s going to physical devices inside the datacenter flows where Flow Type = 'VM-Physical' by bytes
Show the same thing as above, but show total amount in bytes: sum(total bytes) of flow where Flow Type = 'VM-Physical'
Show all traffic going from internal to the internet flows where Flow Type = 'Src is VM' and Flow Type = 'Dst is Internet' by bytes
Show total traffic (in bytes) amount that the VMs pulled down from the internet sum(bytes) of flows where Flow Type = 'Src is Internet' and Flow type = 'Dst is VM'
In a dual datacenter setup, where you have two vCenters - show how much traffic is running between the two datacenters sum(bytes) of flows where Dst Manager = 'vcenter-dc01.corp.local' and Source Manager = 'vcenter-dc02.corp.local'
Show the total amount of VXLAN traffic: sum(bytes) of flows where Flow Type = 'Src is VTEP' or flow type = 'Dst is VTEP'
Show the amount of VXLAN traffic grouped per VTEP IP address (vmkernel port on the ESXi hosts) sum(bytes) of flows where Flow Type = 'Src is VTEP' or flow type = 'Dst is VTEP' group by src ip
Show traffic totals grouped by IP address (top talkers) sum(bytes) of flows group by src ip
Show traffic totals grouped by Port number (top talkers) sum(bytes) of flows group by dst port
Show all traffic flows from application container Oracle to application container Webfrontend flows where Source Application = 'Oracle' and Destination Application = 'Webfrontend'
Show all internet traffic flows to a specific country flows where Destination Country = 'United States'
Network Information
Show routes of a specific NSX Edge (both ESG & DLR) routes where vrf = 'TL-ESG-01'
Show a list of all networks (port groups) and count how many VMs are attached vm group by l2 network
List all VMs impacted by a specific firewall rule vm where Firewall Rule = 'Allow HTTP from internet'
List all VMs with a specific NSX Security Tag vm where Security Tag = 'ST-Allow-PING'
Show firewalls rules where all service ports are allowed firewall rule where Action = 'ALLOW' and Service Any = true
List NSX controllers and which VXLANs they are responsible for controller of Vxlan group by controller
Show all routes which have a specified next hop route where NextHop Router = '3TA-Edge01'
Micro-Segmentation Planning
Generate a report for all flows except for NFS traffic plan flows where port.ianaPortDisplay != '2049 [nfs]'
Show report for all flows to a web tier and on port 80 plan flows where port.ianaPortDisplay = '80 [http]' and L2 Network = '3TA-Web'
Show report for all flows happening inside a specific AWS VPC plan flows where AWS VPC = 'MyVPC'
Storage Information
Show all datastores with a higher write latency then 5ms datastore where Write Latency > 5ms
List all datastores and their VM count vm group by datastore
List all datastores with a higher usage percentage of 80% datastore where Used Space Percent > 80%
List all datastores on a specific NAS datastore where NAS Server Name = '10.9.0.10'
That’s it for now. Let me know if you have any other interesting searches I can add!