We've deployed vRLI, configured our vCenters and ESXi Hosts to send logs to it and now we want to use it to find VMs that have crashed. Let's do it!
Go to Interactive Analytics and search for "guest operating system has crashed".
I've found five log entries with this string since I started collecting data (notice the All time dropdown top right). As you hover over the Source you'll see the log source.
You can also colorize by source by clicking the source link, which is quite helpful when you have dozens or hundreds of log entries and you'd like to highlight just those from a single source.
Now that we've found the logs, let's start generating Alerts on them and send them over to vROps. Top right go to Create Alert from Query.
Once there, you'll be able to define your Alert.
I've called mine Guest Operating System Crashed and configured it to send an Alert to vROps when a single log entry containing "guest operating system crashed" appears over any 5-minute interval. The Alert will be Critical and if the object the Alert is sent for isn't in vROps, the Fallback object has been configured. Click SAVE to save your new Alert. Click SEND TEST ALERT to run a test, mine ran successfully, was sent to vROps and looks like this.
Next let's add it to our Environment Overview Dashboard. Click the little dashboard icon between the star and the bell icon.
Give it a Name, the Dashboard you want to add it to (in my case Environment Overview), the Widget Type you'd like to use, and optional Notes.
Click ADD. Now let's check the Environment Overview Dashboard. Go to Dashboards - My Dashboards - Environment Overview and you'll see the new widget showing Guest OS Crashes over time.
The same technique can be used for any query you want: ESXi host has crashed, Certificate Expiration, Lost datastore connection, ESXi core dump detected, etc. For more information on vRLI and to request a trial, go here.