VMware vRealize Log Insight (vRLI) 8.1 introduced Index Partitions with customizable retention periods, giving us the ability to put logs in certain partitions and keep them as long as we'd like.
vRLI 8.4 gave us the ability to archive individual Index Partitions via NFS, which looks like this.
vRLI 8.8 brings us the ability to query Index Partitions! Before digging into this new feature, let's take a step back and look at the larger picture.
Index Partitions are generally used for disparate logs, logs with varying retention requirements, and for performance reasons. To illustrate this point, I've created four Index Partitions based on tags.
I created two VIPs: one for Citrix NetScaler and the other for NetApp. I'm sendings logs from each via Syslog to vRLI and tagging them accordingly upon ingestion.
I'm generating Oracle Database logs via the vRLI Agent and adding tags to them upon ingestion as well.
I even tag my vCenter and ESXi Hosts logs which I'm putting in the Default Index Partition.
Now that we've tagged everything, we can create Index Partitions based on those tags.
I've created an Index Partition for each log source: Citrix NetScaler, NetApp, and Oracle Database to augment the Default Index Partition being used for all vCenter and ESXi Host logs. Each Index Partition can have its own retention period and archive location.
As of vRLI 8.8, we now have the the ability to query those Index Partitions via the _index field, improving our ability to search for logs. In the Explore Logs tab, click ADD FILTER. From the first field dropdown, select _index.
This is the Index Partition identifier, which will allow you to point your query at just that Index Partition.
Select the Index Partition you want, in my case I've chosen Oracle_Database_Logs because I am looking for Oracle specific logs.
Querying just the Index Partition you want will speed up your query results for even faster discovery. For everything new in vRLI 8.8 check out the What's New Blog here. For more general information and the ability to request a vRLI trial go here.