vRealize Network Insight Sample Search Queries

Products

VMware Aria Operations for Networks

Issue/Introduction

This articles provide sample vRealize Network Insight search queries

Environment

VMware vRealize Network Insight 3.x
VMware vRealize Network Insight 2.x

Resolution

Below mentioned are few search queries which are used in vRealize Network Insight

Flow Related Queries

Show VMs per L2 segment (can restrict with where vlan = xyz). Replace vlan with vxlan if using logical switches.

vm by vlan where vlan = “xyz”

Show a list of VMs with their gateway, network, VLAN etc:

L2 Network , vlan, ip address, default gateway of vms

Search a MAC address or IP address. Just type the address into the search bar.

00:50:56:a6:31:cc

Show me all network traffic going to the internet

flows where Flow Type = 'Src is VM' and Flow Type = 'Dst is Internet' by bytes

Show me all network traffic going to physical

flows where Flow Type = 'VM-Physical' by bytes

Show me the same thing, but totals:

sum(total bytes) of flow where Flow Type = 'VM-Physical'

Say you have two data centres (separate vCenter per site). Show me traffic totals between them (i.e. DCI link utilisation)

sum(bytes) of flows where (Dst Manager = 'abc' AND src manager = 'cba') OR (Dst Manager = 'cba' AND src manager = 'abc')

Total amount of VTEP traffic:

sum(bytes) of flows where Flow Type = 'Src is VTEP' or flow type = 'Dst is VTEP'

VTEP traffic grouped by VMkernel IP (Can’t see this in the vRNI demo labs – has to be in a real life lab):

sum(bytes) of flows where Flow Type = 'Src is VTEP' or flow type = 'Dst is VTEP' group by src ip

Show internet traffic totals for every src IP

sum(bytes) of flows where Flow Type = Internet' group by src ip

Series of 3 days where each point is an aggregate of 2 hours (7200 seconds) of metrics. The aggregate function being applied is supplied in the query – max, sum etc.

series(max(byte rate), 7200) of flows where flow type = 'Src is Physical' and flow type = 'Dst is Internet' in last 3 days

Find switch-ports or router-interface having packet drops

show Max Packet Drops, total packet drop ratio, network Rate of Switch Ports by Total Packet Drop Ratio

Network rate of all hosts (ordered by the highest)

network rate of host order by Max Network Rate

Show total flows grouped by ports

sum(bytes) of flow group by port

Look at Internet flows grouped by port with traffic totals:

sum(bytes) of flows where Traffic Type = 'INTERNET_TRAFFIC' group by port

Information About VMs

Show which network segments have the highest VM count:

vm group by l2 network

Which datastores have highest VM count:

vm group by datastore

ESX Host Information

Show me a list vSphere versions installed in the environment and a total of hosts:

host group by version

Show me a list of vSphere builds and how many hosts they have:

host group by OS

Show me hosts with how many VMs they contain:

vm group by host

Firewall rules

Show rules which have an any source (can combine with specific port if you like)

vm where incoming rules.Source Any

Show VMs with an affected rule of xyz

vm where Firewall Rule = 'Prod MidTier to Prod DB - DBService'

Show firewall rules where any port is allowed

firewall rule where action = allow and service any = true

Not operator:
!=
Not like

Aggregations:

max(byte rate) of flows
sum(total bytes)
sum(bytes)
avg(CPU Usage Rate), avg(memory utilization) of VMs

Troubleshooting

Show which VNIs my controllers are responsible for:

controller of Vxlan group by controller

Which controller is responsible for my Prod-Midtier segment

Primary Controller of Vxlan 'Prod-Midtier'

Where is my Prod-Midtier-1 VM and what info do I want to know about it (i.e. MAC, IP, host it’s on)?

mac address, ip, vxlan, host of vm 'Prod-Midtier-1'

Show routes for Provider edge 3:

routes where vrf = 'Provider Edge 3'

Show routes of DMZ DLR:

routes where VRF = 'LDR-DMZ'