Skip to content

Instantly share code, notes, and snippets.

What would you like to do?

Infrastructure Queries

  • Show current problems within the monitored environment

  • Show list of changes within the monitored environment

  • See which Controller is responsible for each VNI
    controller of vxlan group by controller

  • Show Top N dashboards - net usage, CPU usage, IOPs etc

  • Show path a Virtual Machine takes to get to Internet
    vm '<vmname>' to internet

  • Show overall storage dashboard - Performance, # of datastores, # of snapshots etc

Security and Compliance

  • Plan security for a single VM and only show internet bound traffic
    plan flows where vm = '<vmname>' and traffic type = 'INTERNET_TRAFFIC'

  • Use the plan security view on a subset of VMs, can use Folder Name, Resource Pool etc
    plan vm where folder = '<foldername>'

  • View the PCI Compliance dashboard
    Note: This feature requires vRealize Network Insight 3.5 or later and an Enterprise license
    pci compliance of VC Manager ''

NSX Queries

  • Review Checklist items/failures
    NSX Manager '<nsxmanager>'

NSX Security Group Queries

  • Show Security Group Membership Changes
    security group membership change

NSX Distributed Firewall Queries

  • Show Firewall Rule Membership Changes
    firewall rule membership change

  • Show Virtual Machines Not Protected by DFW
    vm where firewall status = 'Excluded'

  • Show all Virtual Machines that are part of a firewall rule
    vm where firewall rule = '<firewallrulename>'

  • Show applicable firewall rules between 2 Virtual Machines
    firewall rule between vm '<vmname1>' to vm '<vmname2>'

  • Show masked firewall rules
    On the results screen, click the alarm/bell icon in the top right corner to create alert for any new warnings
    firewall rule masked event

  • Show rules using any/any/any to find candidates for further segmentation. This will display across NSX and 3rd party partner solutions as well.
    firewall rule where source = any and destination = any and service = any and action = allow

  • Show VMs with incoming traffic on a specific port, can click on the VM in the search results and then click on Configured Firewall Rules to view the applicable firewall rules for that vm
    vm where incoming port = <portnumber>

NSX IPFix Queries

These queries take advantage of the new functionality in vR NI 3.5 that includes IPFix data from NSX

  • Show blocked flows for a NSX Rule ID
    flow where firewall ruleid = '1010' and firewall action = 'DENY'

  • Show all blocked flows
    flow where firewall action = 'DENY'

ESXi Host Queries

  • Show ESXi hosts sorted by max network rate
    network rate of host order by Max Network Rate

Virtual Machine Queries

  • Show VMs by top talkers
    vm by network rate

  • Another query to show top talkers, limiting to top 10
    flows group by src vm order by sum(bytes) limit 10

  • Show network info for virtual machines
    l2 network, vlan, ip address, default gateway of vms

Networking Queries

  • Search for a known MAC address to find the machine it belongs to

  • Show sum of traffic between 2 NSX Security Groups sorted by source ESXi host
    sum(bytes rate) of flow where src sg = '<sourcesecuritygroup>' and dst sg = '<destinationsecuritygroup>' group by src host

  • Show sum and average of traffic by port
    sum(bytes), avg(bytes) of flows group by port

  • Similar to above, but also shows the endpoint the traffic was communicating to
    sum(bytes), avg(bytes) of flows group by service endpoint

  • Show Datacenter Interconnect link traffic (2 sites, vCenter Server at each site)
    sum(bytes) of flows where (Dst Manager = 'site2' AND src manager = 'site1') OR (Dst Manager = 'site1' AND src manager = 'site2')

  • Show total internet traffic by source IP
    sum(bytes) of flows where Flow Type = Internet' group by src ip

Palo Alto Networks Queries

  • Show events for delays in updating Palo Alto Networks Dynamic Address Groups
    On the results screen, click the alarm/bell icon in the top right corner to create alert for any new warnings
    Palo Alto Nsx Dynamic Update Event

Physical Network Queries

  • Show all switches

  • Show all Cisco switches
    switches where vendor = Cisco

  • Show all traffic going to physical sorted by top talkers
    flows where flow type = 'VM-Physical' by bytes

  • Show packet drops in the monitored environment sorted by highest packet drop switchports
    switchport where vendor = '<switchvendor>' order by total packet drops desc

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment