Get-gEvents for getting vsphere events with some additional filtering


Some time ago i wrote a dirty function that utilizes eventfilterspec to filter out events. I knew it had one flaw, because as far as i remember i was using there QueryEvents method. Nothing bad with that, but as far as i understand it will only return up to 1000 records. So i have finally modified it so it uses EventCollector. It has support for searching by eventchainID, eventTypeId, username, date. I have tried to document function as much as possible. For me it works ok. There is some tiny support for checking eventTypeIds inside the function. If something is not clear make sure you will read the help
get-help get-gEvents -full
One confusing bit might be that while passing the entityname , you have to pass the viewtype as well. Well i did it because i use it this way 😉 So i use Get-View -ViewType [type] -Filter @{‘name’=XXX’}
So it’s up to you what exactly you are looking for, while specifying the entity, In filter name will be put, but ViewType specifies the type of object, whether it will be a datacenter, vm , cluster, datastore etc..
I tried to implement the switch for enabling/disabling full formatted message, but for some reason it was not working, no idea why.

Quick examples:

How to check how many vmotions DRS has performed inside a particular cluster ?

(Get-gEvents -StartDate (get-date).AddDays(-1) -types 'VmBeingHotMigratedEvent' -EntityName 'Cluster_name' -ViewType ClusterComputeResource).Count

How to check how many vmotions DRS has performed inside a particular datacenter ?

(Get-gEvents -StartDate (get-date).AddDays(-1) -types 'VmBeingHotMigratedEvent' -EntityName 'Datacenter_name' -ViewType Datacenter).count

Endless possibilities basically.. i will throw 1 more
How many times user X has powered off a VM in last 7 days

(Get-gEvents -StartDate (get-date).AddDays(-7) -EventTypeIds 'VmPoweredOffEvent' -EventUsername 'DOMAIN\UserX' -systemUser:$false ).count

How many were there vmotions in some cluster during last 7 days

Get-gEvents -StartDate (get-date).AddDays(-7) -EventTypeIds 'VmFailedMigrateEvent' -EntityName 'SomeCluster' -ViewType ClusterComputeResource}

What if you want to check for other dates ? Use: -StartDate with (get-date).AddDays(-7) for example, to go 7 days back. Same goes for end date, -EndDate (get-date…..

When you will be giving parameter for the Entity, you can still use the -Recursion parameter with it to control whether you want to inspect only THAT entity, or its children, or both.

If you will skip -startdate or -enddate make sure you know that function is setting those variable up anyway with default values of: Enddate -> NOW , -startdate 7 days ago.

Make sure you know that by default if you will skip those parameters : systemuser and recursion will be set to true and all . So if you wonder how come you received system events if you were looking for user’s events, mark the -systemuser:$false , if you want to look only for event on entity and do not want to step inside its children use -recursion ‘self’ , because by default i set it to ‘all’.

You do not need to provide entity for this function to start, if not given it searches through everything.

Enjoy

function Get-gEvents
{
  <# .SYNOPSIS Get-gEvents is utilizing EventCollector to get information about events. .DESCRIPTION Get-gEvents utilizies most of what EventCollector has to offer. If Start or End date is not specified, the default values of: End - Now, Start - last 7 days will be applied. If you are using EventUserName parameter, you can then choose SystemUser parameter. By default it is selected as True, so if you do not want to see system events please set it to -SystemUser:$false , so you will get only user's records. This function also allows to get current list of types for events, if you do not remember a particular event, first try this function with -ListMainEVTypes From there you can use -ListSecEVTypes with -SubEVType and give it value of name of typse from previous command. .EXAMPLE Count DRS vmotions in Virtual Center for last day. (Get-gEvents -StartDate (get-date).AddDays(-1) -EventTypeIds 'VmBeingHotMigratedEvent').count .EXAMPLE Get-gEvents -ListSecEVTypes -SubEVType 'VmEvent' .PARAMETER ListMainEVTypes If used , you will received main event types categories. .PARAMETER ListSecEVTypes If used, you have to use SuvEVType to select the right subcategory to expand. .PARAMETER SubEVType From output of -ListMainEVTypes you can paste its name to -SubEVType , in response you will get more detailed event types. for example -SubEVType 'VmEvent' .PARAMETER eventChainId If you are interested only in particular event chain you can specify it's id here. .PARAMETER EventUsername You can search only user's events by giving in this parameter the login of user for example: 'userX', 'DOMAIN\UserX' .PARAMETER EntityName Name of the entity for which or underwhich you will be looking for events. It works together with ViewType. .PARAMETER systemUser In use with EventUsername, By default systemUser is $True, so that you will see the user's and the system events. If you will give -systemUser:$false then, only user's events will be gathered. .PARAMETER EventTypeIds This parameters can handle multiple ids of eventtypes separated by comas, for example : VmBeingHotMigratedEvent for checking drs migrations or VmPoweredOffEvent for vms getting powered off. If you do not know the specific type id, you can always run this function with ListMainEVTypes and ListSecEVTypes paramegters to get hints. .PARAMETER category Possible categories are: info, warning, error, user. .PARAMETER StartDate Start date for the search query. For example (get-date) for now, or (get-date).AddDays(-1) for yesterday. .PARAMETER EndDate End date for the search query. For example (get-date) for now, or (get-date).AddDays(-1) for yesterday. .PARAMETER Recursion You can choose from Self,Children,All options. Self is only checking events on Entity itself, Childred only on Children entities, and all is Self+Children. .PARAMETER ViewType This is the ViewType that you would normally use within Get-View to find that particular entity. For example HostSystem for host, or VirtualMachine for VM, or ClusterComputeResource for Cluster. .LINK https://psvmware.wordpress.com .NOTES Author : Grzegorz Kulikowski #>
	[cmdletbinding(DefaultParametersetName = "Main Usage")]
	param (
		[parameter(Mandatory = $true, ParameterSetName = "Main Events Types Listing")][switch]$ListMainEVTypes,
		[parameter(Mandatory = $true, ParameterSetName = "Detailed SubEvents Types Listing")][switch]$ListSecEVTypes,
		[parameter(Mandatory = $true, ParameterSetName = "Detailed SubEvents Types Listing")]$SubEVType,
		[parameter(Mandatory = $true, ParameterSetName = "ChainID Events Listing")][string]$eventChainId,
		[parameter(Mandatory = $false, ParameterSetName = "Main Usage")][string[]]$EventUsername,
		[parameter(Mandatory = $false, ParameterSetName = "Main Usage")][bool]$systemUser = $true,
		[parameter(Mandatory = $false, ParameterSetName = "Main Usage")][string]$EntityName,
		[parameter(Mandatory = $false, ParameterSetName = "Main Usage")][String[]]$EventTypeIds,
		[parameter(Mandatory = $false, ParameterSetName = "Main Usage")][VMware.Vim.EventCategory]$category,
		[parameter(Mandatory = $false, ParameterSetName = "Main Usage")][datetime]$StartDate = (Get-Date).AddDays(-7),
		[parameter(Mandatory = $false, ParameterSetName = "Main Usage")][datetime]$EndDate = (Get-date),
		[parameter(Mandatory = $false, ParameterSetName = "Main Usage")][vmware.vim.EventFilterSpecRecursionOption]$Recursion = 'all',
		[parameter(Mandatory = $false, ParameterSetName = "Main Usage")][ValidateSet('ClusterComputeResource', 'ComputeResource', 'Datacenter', 'Datastore', 'DistributedVirtualPortgroup', 'DistributedVirtualSwitch', 'Folder', 'HostSystem', 'Network', 'OpaqueNetwork', 'ResourcePool', 'StoragePod', 'VirtualApp', 'VirtualMachine', 'VmwareDistributedVirtualSwitch')][string]$ViewType
	)
	
	switch ($PsCmdlet.ParameterSetName)
	{
		"Main Events Types Listing"  {
			[VMware.Vim.VmEvent].Assembly.GetTypes() | ? { $_.BaseType -eq [VMware.Vim.Event] }
			break
			
		}
		"Detailed SubEvents Types Listing"  {
			
			[VMware.Vim.VmEvent].Assembly.GetTypes() | ? { $_.BaseType -like "VMware.Vim.$SubEVType" }
			break
		}
		"Main Usage" {
			$si = get-view -id ServiceInstance
			$em = get-view -id $si.Content.EventManager
			
			$EventFilterSpec = New-Object VMware.Vim.EventFilterSpec
			$EventFilterSpec.eventTypeId = $EventTypeIds
			if ($StartDate -or $EndDate)
			{
				Write-debug "Date was given"
				$EventFilterSpec.Time = New-Object Vmware.Vim.EventFilterSpecByTime
				$EventFilterSpec.Time.beginTime = $StartDate
				$EventFilterSpec.Time.endTime = $EndDate
			}
			if ($category)
			{
				Write-debug "Category was given"
				$EventFilterSpec.Category = $category
			}
			if ($EventUsername)
			{
				Write-debug "User was given"
				$EventFilterSpec.userName = New-Object Vmware.Vim.EventFilterSpecByUsername
				$EventFilterSpec.userName.systemUser = $systemUser
				$EventFilterSpec.userName.userList = $EventUsername
			}
			if ($EventChainId)
			{
				Write-debug "EventChainId was given"
				$EventFilterSpec.EventChainId = $EventChainId
			}
			if ($EntityName)
			{
				Write-debug "Entity was given"
				$entity = get-view -viewtype $ViewType -Filter @{ 'name' = $EntityName } -Property name
				$EventFilterSpec.Entity = New-Object VMware.Vim.EventFilterSpecByEntity
				$EventFilterSpec.Entity.Entity = $entity.moref
				$EventFilterSpec.Entity.Recursion = $Recursion
			}
			$EventCollector = get-view -id $EM.CreateCollectorForEvents($Eventfilterspec)
			$EventCollector.RewindCollector()
			write-debug "Collector rewinded"
			$events = $null
			
			
			while ($EventInWindow = $EventCollector.ReadNextEvents(100))
			{
				$Events += $EventInWindow
				write-debug "Reading next window"
			}
			$EventCollector.DestroyCollector()
			$Events
			break}
	}
	
	
}

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s