The search queries runs searches across your entire deployment and enables you to find all types of entities based on the specified search term. Additionally, vRealize Network Insight provides suggestions to build the queries, which includes saved searches and recent searches that match the typed text in the global search bar.

Search queries can be divided into following categories:
  1. Structured Queries

    A structured query consists of the following components:

    • Entity Type: An entity type represents the type of object that we want to search. And it can be either in a singular form or in a plural form. The entity type is mandatory in a structured query.

      Here are some examples:
      1. Virtual machines
      2. Hosts
      3. Flows
      4. MTU Mismatch Alerts
      5. Problems
    • Filters: The syntax for filter is as follows:

      The syntax for condition is as follows:

      A filter clause can be used to filter search results. The condition in a filter clause consists of property, comparison operator, and value. The conditions can be combined with logical operators to form complex conditions. Here is a list of the operators that you can use:
      Operator Examples
      =

      flows where source ip address = '10.16.240.0/24'

      flows where flow type = 'Source is VM'

      != vms where ip address != '10.17.0.0/16'
      >

      vms where memory > 4096 mb

      < vms where cpu usage rate < 70%
      >= vms where memory >= 4096 mb
      <= vms where cpu usage rate <= 70%
      like vms where name like 'app'
      not like

      vms where name not like 'app'

      in

      flows where port in (22, 23, 80, 443)

      vm where ip address in (192.168.91.11, 192.168.91.10)

      not in

      flows where port not in (22, 23, 80, 443)

      vm where ip address not in (192.168.91.11, 192.168.91.10)

      is set vms where firewall rule is set
      is not set vms where firewall rule is not set
      () flows where (src tier = ‘App’ and destination tier = ‘DB’) OR (destination tier = ‘App’ and source tier = ‘DB’)
      and flows where src tier = 'App' and destinationtier = 'DB'
      or flows where flow type = 'Source is VMKNIC' or flow type = 'Destination is VMKNIC'
      matches

      vm where name matches '.*'

      vm where name matches 'a.*'

      vm where name matches '[a-z]vm-delta[0-9]'

      not matches

      vm where name not matches '.*'

      vm where name not matches 'a.*'

      vm where name not matches '[a-z]vm-delta[0-9]'

      nested 'in' operator

      vm where in (vm where name = 'x')

      vm where in (vm of host where name = 'x')

      vm where host in (host of vm where name = 'x')

      vm where name in (name of vm where name = 'x')

      Projections: A projection clause in a query decides what fields must be displayed from the filtered entities. This is an optional clause. If the projection clause is not specified, then the default set of fields is shown in the search results. A projection clause can contain any one of the following items:
      1. Property
      2. Count
      3. List
      4. Aggregation
      5. Series

      1. Property: When entities are searched by an entity type, default set of properties are shown in the search results. Using projections, we can select the fields that should appear in the search results. For example, os of vms lists all virtual machines with OS property in the search results.
        Here are some more examples:
        • cpu cores of vms
        • source ip address of flows

        If a metric property is used, a graph is displayed for each entity with the metric property as y-axis and time as x-axis.

      2. Count: The count query can be used to compute the number of objects of an entity type. Here are some examples:
        • count of vms
        • count of hosts
        • count of flows
      3. List: A list operator is helpful if the filter condition cannot be applied on the entity that you fetch.

        For example:

        List(host) of vms where memory <= 2gb

        This query fetches list of hosts, whereas the filter condition is applied on virtual machines. For example, List(ip address)of vms where cpu cores = 1

        Aggregate functions: An aggregate function allows you to calculate a single value from a numerical config or metric property. The search query language supports the following aggregate functions:
        • max
        • sum
        • min
        • avg
        Here are some examples:
        • sum(memory) of hosts
        • sum(memory), sum(cpu cores) of vms
        • sum(bytes) of flows
      4. Series: A series operator is used to perform aggregation on the metric properties. For example:

        series(avg(cpu usage)) of vms where cpu cores = 4

        This query displays graph containing average cpu usage of all virtual machines with 4 cpu cores. Here are some examples:
        • series(sum(network usage)) of vms where name like 'app'
        • series(sum(memory usage)) of vms where name like 'db'
        • series(avg(cpu usage)), series(avg(memory usage)) of vms
    • Ordering: The search results can be sorted using order by clause. Only one field is allowed in order by clause. Results are sorted in descending order by default.

      Here are some examples:

      1. vms order by cpu cores
      2. vms order by cpu cores asc
      3. flows order by bytes

      The limit clause can be used to limit the number of results. This must be preceded by the order by clause. For example:

      vms order by memory limit 5
    • Grouping: The entities can be grouped by a property. When entities are grouped by a property, by default, the number of results in each group are shown. By adding a projection, sum/max/min of any property can be computed . Adding order by clause sorts the results. If order by or projection clause is present in a query, then the aggregation function must be present.

      sum(bytes) of flows group by dest vm

      This query is valid as the query has aggregation function in the projection clause. A query such as bytes of flows group by dest vm is invalid as there is no aggregation function in the projection clause.

      Here are some examples:
      1. vms group by host
      2. sum (bytes) of flows group by dest vm order by sum(bytes)
  2. Entity Queries

    Search by entity type: All entities of an entity type can be listed by searching the entity type.

    Examples: vms , hosts, flows, nsx managers

    1. Search by entity name
      • Search by full name: If the full name of an entity is known, it can be searched by enclosing the name in single quotes.

        Examples: 'prod-68-1', 'app1-72-1'

      • Search by partial name: Search by a single word or multiple words fetches all the entities matching the input words.

        Examples: prod, app1

        Note: If input contains keywords or entity types, then it may be processed as a search query.
      • Search by entity type and name: If both the name and the type of an entity are known, it can be searched by querying entity type and entity name together.

        Example: The search query 'vm app1' returns all VMs containing app1.

  3. Planning Queries

    These queries can be used to plan the security of the data center by analyzing flows.

    Examples:
    1. plan securitygroup1
    2. plan host1
    3. plan security
  4. Path Queries

    These queries can be used to show the path between two VMs or the path from VM to Internet.

    Examples:
    1. Vm 'vm1' to Vm 'vm2'
    2. VM 'vm1' to Internet
Note:
  • The search queries are not case-sensitive.
  • The entity types or the configuration properties can have synonyms. For example, entity type 'virtual machine' has synonym 'vm'.