VMware vRealize Log Insight 202
Updated: Apr 27, 2022
Our last VMware vRealize Log Insight (vRLI) blog focused on dashboards, specifically those out of the box. This blog will focus on the dashboard construct itself, the five widgets available for use in dashboards, and the Interactive Analytics tab.
Interactive Analysis is the most powerful and most frequently used tab in vRLI. Starting at the top, it shows the raw number of events over time, be they vCenter events, ESXi Host log entries, or anything else coming into vRLI. The default chart type used is the bar chart, but you can select other chart types by clicking the Chart Type dropdown.
If you like what you see, you can add this chart to a dashboard by clicking the Add to Dashboard icon top right. You can also click the Snapshot icon which takes a snapshot of the chart and allows you to add it, along with other previously saved snapshots to an existing dashboard. This gives you the ability to add multiple charts to a dashboard at once.
Below the chart you have a list of all events/logs, this is the raw data vRLI knows about. You can filter what you see several different ways. First, is the filter bar, here I'm looking for all entries with the string 10.176.152.107 in them.
The chart at the top reflects the number of these events/logs over the selected time period. Below the search bar you'll find all entries containing the string. The Events tab shows the raw data. The little gear icon top left of each event offers several other filtering opportunities and the ability to jump to vRealize Operations (vROps) for inspection of the object associated with this event/log.
The Field Table tab shows these same events/logs in a table format. I like this view because it's a bit cleaner and you can add/remove columns.
The Event Types tab shows these same events/logs in terms of type. The gear icon is also available here for additional filtering, highlighting, and charting. Documentation here: https://docs.vmware.com/en/VMware-vRealize-Log-Insight-Cloud/services/User-Guide/GUID-F662C5C5-39B8-40D8-9A35-2E466FCF9121.html
The Event Trends tab shows these same events/logs by trend, ie those that have been coming in fastest/latest. The gear icon is available here for additional filtering, highlighting, and charting. There will also be an up arrow, equal sign, or down arrow indicating the trend of the particular event versus the baseline. Documentation here: https://docs.vmware.com/en/VMware-vRealize-Log-Insight-Cloud/services/User-Guide/GUID-3A7D238D-64CF-4E98-8532-02B7F21E27F4.html
To the right of the search bar, there are four small tiles: star, dashboard, bell, and query box.
The first one (the star with the plus sign), creates a favorite of your current query.
Once saved, it's available as a favorite from the favorites dropdown.
The second button (dashboard icon with the plus sign) allows you to add the query to an existing or new dashboard. This is the de facto dashboarding canvas for vRLI.
As you can see, it shows the name of the query, which you can adjust. It prompts you for the dashboard you want the widget added to, or a new one. Then it asks you for the widget type, this is the representation of the query data. There are five types of widgets in vRLI:
Chart - the query list represented as a chart. There are nine chart types: column, line, area, bar, pie, bubble, gauge, table, and scalar. Documentation here: https://docs.vmware.com/en/VMware-vRealize-Log-Insight-Cloud/services/User-Guide/GUID-5BCF8A78-909B-4655-8289-D69F07BFC36F.html
Query List - the query list, what you see in the Events tab. The dashboard widget will show the query name. Clicking on it will re-direct you back to the Interactive Analysis tab for that query.
Field Table - the query list of events/logs as a table, what you see in the Field Table tab.
Event Types - the query list of events/logs as an event types table, what you see in the Event Types tab.
Event Trends - the query list of events/logs as an event trends list, what you see in the Event Trends list.
The third button (the red bell) allows you to create alerts or manage existing alerts, which have come as a part of the platform or with a Content Pack.
If you select the first option: Create Alert from Query, you will be presented with the New Alert dialogue box.
Give it a Name, Description, and Recommendation. The Notify box provides three options for notification destination:
Email - comma separated list of email addresses. This requires an SMTP server to be configured via Administration - Configuration - SMTP.
Webhook - space separated list of webhooks, documentation here: https://docs.vmware.com/en/vRealize-Log-Insight/8.1/com.vmware.log-insight.user.doc/GUID-F853A8A2-3EA3-4570-B500-659504C2E257.html
Send to vRealize Operations Manager - sends an alert to vROps instance configured in Administration - Integration - vRealize Operations
The next section: Raise an alert, allows you to tell vRLI when to send alerts. The first radio button will make the notification on every match. The second radio button will only make notifications on alerts seen for the first time in the last 12 hours (the number of hours is configurable). The final option provides for even more granularity around notifications. Here you can notify when you have x alerts over the last y minutes/hours.
The second option for the third button (the red icon) is Manage Alerts. This allows you to manage/edit all existing alerts, ie alerts that come out of the box or with Content Packs.
The fourth and final button in the pane is the ability to share/export queries.
The first option: Export Event Results, gives a dialogue box to export query results. If your query has more than 20,000 results, you'll be presented with the full dialogue box you see here. If your query has fewer than 20,000 results you'll see a truncated version of this same dialogue allowing for local downloads only.
It allows you to export the query results in one of three formats: TXT, JSON, or CSV. It provides a vRLI Task name (which can be canceled), an NFS storage path (if you'd like to send it there), and an Email field to be used for notification when the export is completed/canceled.
The second option: Export Chart Data, exports the data in the chart (top of Interactive Analytics tab). The available options are CSV or JSON.
The third option: Share Query, provides a link for the query you can share with others. The format is a URL.
The last part of the Interactive Analytics tab is the Fields pane on the right hand side of the UI.
The list of fields represents the fields comprising the events you see in the query output. As you hover over them in the right pane, they will be highlighted in the events tab. If you click the plus icon to the left of a field it'll reveal a bar chart showing how many instances of that particular field are represented in the query. If you click the eye icon to the right of a field it'll reveal the details around that field: name, regex, regexes, etc.