Monthly Archives: March 2016

Troubleshooting Horizon View with Log Insight

VMware vRealize Log Insight provides out of the box content pack for Horizon View. I find the content pack useful for both monitoring and troubleshooting. Naturally, there are cases where you need to build your own custom field and dashboard. In this blog, I share one such example.

The example I share is a Mass Disconnect of users. This means many users were suddenly disconnected at the same time, causing disruption at work and complain to IT.

Mass disconnect can certainly happen, and Horizon View Event Database records that. You will see the string “has disconnected from machine” in the View Event DB. Here is one such example. In this case, I’ve filtered to a particular user.


The first challenge is Horizon View Event does not distinguish between abnormal disconnect and normal disconnect. You will see many such string in the event DB. It is difficult to analyse in large environment as you cannot visualise.


Yes, see the example below.


I queried the same string. With Log Insight, I can query all the View Connection Server, not just one at a time. That’s another benefit of Log Insight.

From the above, you can see clearly that the string happens many times. I plotted for 5 days, and we can see the pattern matches the working hours. So how do we see an abnormal one since the log does not distinguish it?

The mass disconnect means it hit many users at one shot. Within 1 minute, you will see many users hit. Log Insight enables us to zoom. As you can see below, I zoomed into 5 seconds and we can see there is a mass disconnect event within that 60 seconds.


I masked out the user name. Yes, you can also show the user Microsoft AD ID in the table. I also masked the ESXi host. Yes, that means you can group the result by ESXi Host. An example of such chart is shown below. We can also show them by cluster.


We can also present the chart differently. In this chart, I group by ESXi, as I want to know quickly how many users were hit for each ESXi. From here I can tell it was quite well spread.


Once I know the users, we can create a custom group in vRealize Operations. This has to be done manually. It’s a one time effort, so it’s okay with me.

Once the custom group created, I can run analysis on it. For example, I can check if the disconnect were because of disk. As you can see below, the disk latency rose to 543 ms during the time of the disconnect. It’s a one time rise, and the time matches the mass disconnect time.


In vRealize Operations, we can zoom into the specific time. Here, it’s clear that it’s a one time spike.


Hope you find the example useful.

VMware vRealize Log Insight 3.3 upgrade

Steve has documented it here, so I will just complement it. As usual, always review the Release Notes first. Mine is a simple setup (no cluster), so it all look good to me.

If you are upgrading from 3.0, you will benefit from the upgrade enhancements made in 3.0. If you are running older version, you need to upgrade to 3.0 first. The steps to upgrade 3.0 –> 3.3 are similar to the steps to upgrade earlier versions. See the blog by Mariusz and Vladan Seget if you have the older version. Look at their documents if you are not familiar.

Go to the Management –> Cluster, as shown below


Click on Upgrade from PAK.


Click Upgrade. You will see the uploading step. This is just copying the PAK file to the VM.


Once you accept the EULA, you will see this. In my case, it only took a few minutes.


And it’s done! Notice the license becomes evaluation in my case.


I verified the upgrade, and the version is now showing 3.3.0


BTW, the vSphere content pack is also updated. It’s a minor update from 3.0 and 3.1. At a glance, I have not spotted any changes yet.

21 vSphere updated

I won’t cover the enhancements that Steve Flander has covered. Here are 2 additional ones.

First, you can collapse the chart.

22 hide chart

Next, you can have a tabular view instead of chart.

23 tabular view

I will explore more. In the meantime, hope you find it useful.