One of the most used features of vRealize Network Insight is its search interface. It provides an easy way for administrators to locate the information they’re looking for, especially when the volume of objects being monitored makes manual browsing impractical. What you might not realize, however, is that the search interface allows you to enter more than just keywords. You can construct advanced queries to help you locate exactly the information you’re seeking.
Advanced queries are largely built around the use of aggregation functions that are combined with the use of filters. The supported aggregation functions include Sum (the combined total of values), Min (the minimum value), Max (the maximum value), and Avg (the mean of the values).
The Sum Function
To use the aggregation functions, you must simply specify the function you want to use along with the output metric (such as bytes), and the query returning the objects that you want to measure. Suppose, for instance, you wanted to find out which VM was generating the most network traffic, as well as how much traffic those VMs were producing. One way to find out would be through a query like this one:
Sum(bytes) of flows group by src vm
If you wanted to take things a step further, you could extend the query to reveal not only which VMs are generating the most network traffic, but also which VMs are receiving the most traffic. Here’s an example of such a query:
Sum(bytes) of flows group by src vm, dest vm order by sum(bytes)
The Count Function
Although not an aggregation function, the Count function is also useful. It returns the number of results that match a query. Suppose for instance that you want to know how many VMs exist on your network. You could easily find out by using this command:
Count of VM
Of course, this is a really simple example. In the real world, it’s probably going to be more useful to combine the Count function with a filter. This would allow you to gather a count of objects that match a specific condition. For example, you might use the Count function to determine how many VMs are running unsupported guest operating systems such as Windows Server 2008. Here’s an example of such a query:
Count of VM where Operating System like 'Microsoft Windows Server 2008'
The Or Operator
You could take this concept a step further by using the Or operator to simultaneously look for other unsupported operating systems. If, for instance, you wanted to look for VMs running Windows Server 2008 and Windows Server 2003, you could use this command:
Count of VM where Operating System like 'Microsoft Windows Server 2008' or Operating System like 'Microsoft Windows Server 2003'
Keep in mind that because the Count function is being used, this command only returns the number of VMs that are running either Windows Server 2008 or Windows Server 2003. It doesn’t return the VM names. For that you would need to omit the Count function and instead use a command like this:
VM where Operating System like 'Microsoft Windows Server 2008' or Operating System like 'Microsoft Windows Server 2003'
Examining Network Traffic
Because vRealize Network Insight is aware of the various objects on your network, it’s possible to examine network traffic flow by application or by function. Imagine, for example, that you wanted to find out how much traffic your CRM application was generating. You could easily construct a query to measure the flow based on the application. Here’s an example of what such a query might look like:
Sum(bytes) of flows where application = 'CRM'
As useful as this technique might be, there are likely to be multiple types of traffic associated with the use of a CRM application. For example, there’s traffic associated with user activity, database queries, and data being returned from the database. However, it is possible to construct a search query that examines a specific type of traffic for a specific application. Suppose, for instance, you wanted to look at the traffic that your CRM application is sending to its back-end database. To do so, you could construct a query leveraging multiple and statements that examines the application, the traffic source, and the traffic destination. Here’s what such a query might look like:
Flow where source application = 'CRM' and src tier = 'App' and destination tier = 'DB'
Conclusion
As you can see, vRealize Network Insight’s search interface is extremely powerful, and this blog post only scratches the surface of what’s possible. VMware provides excellent documentation for its search interface here.
If you would like to see more examples, check out the Search Posters.
By: Brien M. Posey
