Today a question was asked of me, someone asked how to find out who had deleted a ResourcePool, now im not one to get anyone into trouble but I also cant resist a scripting challenge so here was the process I used to write the following one-liner:

Get-VIEvent | Where { $_.Gettype().Name -eq "ResourcePoolDestroyedEvent"} | Select CreatedTime, UserName, FullFormattedMessage

Ok, so we know that everything we do in the vSphere client produces an event so there must have been an event record, in this record we know that the person is recorded as we can easily create a test resource pool and delete it, this will allow us to test the information we need:

So, lets start with the Get-ViEvent cmdlet, warning, don’t run this outright or you will be sat there for a year and a day whilst every record is returned, think about how many events are created every minute, hour, day, month !

What we need to do is narrow this down so we can retrieve the results quickly for our test, for this we use the –MaxSamples parameter, this will allow us to retrieve the last x events, so lets retrieve the last 5:

Get-VIEvent –MaxSamples 5

One of the events we can see is the event we are interested in:

So, now we want to list just the records which contain information on a deleted resource pool, we can do this in two ways, firstly we could read Luc’s excellent post (while your there make sure you read his series of event posts – most excelent !) and try and find the event type that looks about right, or we can list the type of record we have just found, to do this we would first take a note of the key for the record we are interested in, in our case it is 5677.

Once we have the key we can narrow down our search to return just the event which we are interested in:

Get-ViEvent -MaxSamples 5 | Where { $_.Key -eq 5677}

Once we have just this record we can view the methods and properties on this by using the Get-Member cmdlet:

Get-ViEvent -MaxSamples 5 | Where { $_.Key -eq 5677} | Get-Member

See the GetType Method, this allows us to view the type of event, we can now run the following to list the type of event:

Ok, so now we can come up with our one-liner which will list all the events where someone has deleted a resource pool, my example below returns all events of this type, obviously if it was more recent you could use the –MaxSamples parameter to only retrieve 100 or 1000 events, this will speed it up.

Get-VIEvent | Where { $_.Gettype().Name -eq "ResourcePoolDestroyedEvent"} | Select CreatedTime, UserName, FullFormattedMessage

The select on the end obviously only gives us the fields we are interested in seeing, i have pushed it through Out-GridView just to make it look nice !

And there we go, it was the butler in the study with the resource pool.

This can also be added to the VESI/PowerGUI power pack to make it easier to run in the future: