You can use these examples when building your queries in the Explore Logs page of vRealize Log Insight.

Query for all heartbeat events reported by the ESX/ESXi hostd process yesterday between 9-10am

Important: vRealize Log Insight indexes complete, alphanumeric, hyphen, and underscore characters.

To query for all heartbeat events reported by the ESX/ESXi hostd process:

  1. In the search text box, type heartbeat*.
  2. Define a filter.
    1. Select appname from the first drop-down menu.
    2. Select contains from the second drop-down menu.
    3. Type hostd in the value text box.
  3. Define the time range.
    1. In the Time Range drop-down menu select Custom.
    2. In the first text box, enter yesterday's date and 9am.
    3. In the second text box, enter yesterday's date and 10am.
  4. Click the Search button.

Search for a Group of Hosts that Have a Common String in Their Names

Assume that you have several hosts that have a host with the following name: w1-stvc-205-prod3, and another host that is called w1-stvc-206-prod5.

To find all logs for both hosts, create the following query.

  1. Leave the search text box empty.
  2. Define the filter.
    1. Select hostname from the field drop-down menu.
    2. Select starts with from the operator drop-down menu.
    3. Type w1-stvc in the value text box.

    Alternatively, you can use the contains operator, but then you must use a glob in the search value. In this example, you must type w1-stvc-* in the value text box.

  3. Click the Search button.

Query for all errors reported by vCenter Server tasks, events, and alarms

To query for all errors reported by vCenter Server tasks, events, and alarms:

  1. In the search text box, type error.
  2. Define a filter.
    1. Select vc_event_type from the first drop-down menu.
    2. Select the exists operator from the second drop-down menu.
  3. Click the Search button.

Query for SCSI latency over one second as reported by ESX/ESXi

To query for SCSI latency over one second as reported by ESX/ESXi:

  1. In the search text box, type scsi latency "performance has".
  2. Define a filter.
    1. Select vmw_vob_component from the first drop-down menu.
    2. Select the contains operator from the second drop-down menu.
    3. Type scsiCorrelator in the text box.
  3. Define a second filter.
    1. Select vmw_latency_in_micros from the first drop-down menu.
    2. Select the > operator from the second drop-down menu.
    3. Type 1000000 in the text box.
  4. Click the Search button.

Query for events in an index partition

To query for events in an index partition:

  1. Leave the search text box empty.
  2. Define the following filter.
    1. Select _index from the first drop-down menu.
    2. Select the is operator from the second drop-down menu.
    3. Enter the partition name in the text box. You can use one of the autocomplete suggestions.
  3. Click the Search button.