I have VM name and want to find who deleted the VM. Tried below but there is no output.
Get-VIEvent -maxsamples ([int]::MaxValue) -Start (Get-Date).AddDays(–14) |
where{$_ -is [VMware.Vim.VmRemovedEvent] -and $_.VM -ne 'VMNAME'} |
Sort -Property CreatedTime -Descending|
Select CreatedTime,UserName,FullformattedMessage
I am not sure we can use "-and $_.VM -ne 'VMNAME'} |" This parameters.
Yes, if the VMNAME is in the FullFormattedMessage you could do that.
But be aware that this does not diminish the execution time.
The Get-VIEvent will still retrieve all events, and the Where-clause will filter out the ones you want.
That is in fact one of the reasons why I created my Get-VIEventPlus function.
There the filtering happens during the retrieval of the events, resulting in a much faster execution time.
You could use the EventType parameter and only retrieve the VMRemovedEvent objects.
Which you could then filter with a Where-clause on the FullFormattedMessage content
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
The VM property in an event does not contain a string with the name of the VM, but a MoRef.
That is a pointer to the VM, which is a bit strange when it concerns a removal.
Unless you have saved that MoRef somewhere before the removal.
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
You can check vCenter server or ESXi hosts tasks & events for who deleted a VM. If not then try to find in vCenter server logs by filtering with VM name.
Did you actually read the question?!?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks LuCD,
Can we use "FullFormattedMessage " and query the "VMNAME". Ultimate aim to reduce the time and need to get the user name and time for VMRemovedEvent. Instead of searching all the deleted event.
Get-VIEvent -Start (Get-Date).AddDays(-1) -MaxSamples ([int]::MaxValue) |where{$_ -is [VMware.Vim.VmRemovedEvent]}
Template : False
Key : 792885076
ChainId : 792885073
CreatedTime : 16/06/2021 07:30:56
UserName : 'username"
Datacenter : VMware.Vim.DatacenterEventArgument
ComputeResource : VMware.Vim.ComputeResourceEventArgument
Host : VMware.Vim.HostEventArgument
Vm : VMware.Vim.VmEventArgument
Ds :
Net :
Dvs :
FullFormattedMessage : Removed vmname on localhost.local from Datacenter
ChangeTag :
Yes, if the VMNAME is in the FullFormattedMessage you could do that.
But be aware that this does not diminish the execution time.
The Get-VIEvent will still retrieve all events, and the Where-clause will filter out the ones you want.
That is in fact one of the reasons why I created my Get-VIEventPlus function.
There the filtering happens during the retrieval of the events, resulting in a much faster execution time.
You could use the EventType parameter and only retrieve the VMRemovedEvent objects.
Which you could then filter with a Where-clause on the FullFormattedMessage content
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference
Thanks LucD,
Yes not able reduce the time for execution. Only able to filter out and get the VM result alone.
Get-VIEvent -Start ((get-date).adddays(-1)) -MaxSamples ([int]::MaxValue) |Where{($_ -is [VMware.Vim.VmRemovedEvent])}|
where {$_. FullFormattedMessage -like '*VMNAME*'} | Select-Object CreatedTime, UserName, fullFormattedMessage
CreatedTime : 16/06/2021 07:30:56
UserName : 'username"
FullFormattedMessage : Removed VMNAME on localhost.local from Datacenter
You should have a look at my Get-VIEventPlus function.
Is your question answered?
Or what is still missing?
Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference