Log Insight: Aliasing Feature

I covered the datastore ID to name aliasing feature in Log Insight 4.0, but under the covers is really a more generic aliasing feature that has not been exposed yet. I walked though a bit of how the aliasing feature works, but I wanted to dig a little deeper into the aliasRules option. Read on to learn more!

As you may remember, the breakdown of the aliasRules section is as follows:

  • name = unique name to identity the aliasĀ (internal only)
  • filter = keywords and/or globs to find the event with the key and value fields (more specific the better)
  • keyField = the field for which a dynamic alias should be mapped against
  • valueField = a second field in the same event as the keyField that provides the alias value
  • aliasFieldName = name of the alias field to be shown next to events that contain the keyField
  • associatedFields = the field(s) for which the aliasFieldName should appear (comma separated)

The additional piece of insight I want to provide is how to compute these aliases yourself. Let’s use an example from the vSphere content pack:

  • “name”:“DatastoreFromVmFileSystem”,
  • “filter”:“hostd VmFileSystem Label headExtent naa*”
  • “keyField”:“vmw_esxi_device_id”,
  • “valueField”:“vmw_esxi_vmfs_label”,
  • “aliasFieldName”:“vmw_esxi_vmfs_name”,
  • “associatedFields”:[“vmw_esxi_device_id”]

The workflow is as follows:

  • filter: enter into search bar
  • keyField: add as exists filter
  • valueField: add as exists filter
  • run query for last 24 hours
  • group by keyField and valueField and switch to table view

  • export the table as CSV
  • open the CSV
  • clear the query on IA
  • for each associatedField you will need to construct a new query
    • create an exists filter for one of the associatedFields
    • if the associatedField is the same as the keyField then add a second filters for valueField does not exist
    • run query
    • group by the associatedField
    • switch to table view

  • for each value look for the same entry in the CSV under the keyField column
  • if you find a match then you will see the aliasFieldName below the event that contains the associatedField, the value of the aliasFieldName will be the valueField in the CSV
  • if you do not see a match of keyField in the CSV then you will not see the aliasFieldName below the event that contains the associatedField (i.e. no alias has been learned yet)

Note: If you perform the steps above in your environment, you may get no results — this is OK. The above alias only returns results when you have/had an issue in your environment. Yes, this means if you have not had this issue then this aliasRule will not work. This is why you see multiple aliasRules in the vSphere content pack for the same associatedFields. Also, note that another aliasRule was added in the vSphere 4.5 content pack version. This new aliasRule returns results even in healthy environments.

© 2017, Steve Flanders. All rights reserved.

Leave a Reply