NSX-T PowerCLI Search option

A couple of weeks ago I was working for a customer that needed to add multiple VM’s to several different groups. So, I started to look at the scripts or function we created previously. In our repository I found a function to retrieve all the groups from NSX-T and add them to global array. I also found a function that checks the array to see if a group exists and return its ID.

This function uses the PowerCLI command to retrieve all groups:

Or if you compare it to a direct API call, it will be:

Since the functions I found were created with PowerCLI I continued on that path. Together with my colleague Robert we created a script to add VM's to NSX-T security groups. With some limited testing in our lab the script worked like a charm. So, we handed the script over to the customer and at first it did seem to do the trick. Until the customer mentioned he was unable to find several groups with the script that he could see in the NSX-T Manager through the GUI. Fortunately, he also found the reason and a quick solution.

I’ll create an additional blog on adding a VM to a group, but here I want to show how the groups can be found.

What went wrong

Why did the script work in our lab and not in the customers production environment? The reason was the total number of groups. In our lab we only had a couple of groups, at least less than 100. But in the production environment there were more than 1000. The reason the script fails is because the result is limited to 1000 results by default. To demonstrate this, I created 1500 test groups in our lab.

As you can see in the screen shot the result_count from the call to list all groups is 1591, but the count of the ID in the result is only 1000. This can also be viewed in the documentation using $Groups.help.list where it says: default to 1000. Also pay attention to the cursor value, as I’ll come back to that later in this blog.

How can this be solved?

As always there are multiple ways of solving this, but you can’t increase the page_size for the API call of the list() command. See the alternatives at the bottom of this blog post.

And as always, we were creating the script with some time constrains so, the script was adjusted as suggested in the results we found on the internet. We used the Search option. Hopefully I can find some time to also test the method to increase the page_size.

The API call we used was: 

Naturally I would like to show you how this can be done with the NsxtPolicyService module. Once a connection has been made towards the NSX-T manager. You can use the following to search for a group called Test:

The screenshot shows that the search has multiple results of different types, not just groups. This wasn’t an issue in the script we needed for our customer, since all their groups start with SG_* and there was no possibility that a group with the same display name existed twice. But for this blog I wanted to show how to find the correct group named Test. Using the search function in the example above, NSX-T searches for *Test* and returns everything containing ‘test’ in the name, regardless of type.

Back to finding just the group named ‘Test’ (and nothing else). The first clue is already shown in the screenshot above. Each result in the search query has a property named resource_type. The next script can be used to filter the results and display the groups with the display name Test.

As you can see, I have two groups in our lab with the name (display_name) Test, but each with a different ID. We got two groups with the same display name by creating them with a unique name (which is used for the ID) and then renaming one of them. Just to show you that it is possible and might be something you need to prepare your script for – the so-called edge cases.

Alternatives

As mentioned, there are always multiple options to come to a result. Though sometimes it takes a little bit longer to figure them all out. I’ll try to explain some of the other solutions with the help of the screenshot below.

Again, we are retrieving the groups into $Groups, as we have seen in the screenshot(2) above there are 1591 groups, but the results contain only 1000. With the help function we can display the Definition for the list function.

list(string domain_id, string? cursor, boolean? include_mark_for_delete_objects, string? included_fields, string? member_types, long? page_size, boolean? sort_ascending, string? sort_by)

The cursor option is used for getting next page of records (supplied by current result page) and is optional. The cursor can be added to a consecutive command to retrieve the remaining groups. As shown in the second red square in the screenshot above. The first command retrieves the first 1000 groups, the second command the remaining 591. With some logic around this you should be able to retrieve all groups.

The documentation also mentions page_size that defaults 1000. If you try to increase that to command fails. Looking at the yellow square in the screenshot above you can see the first call returning all the groups. If the page_size is limited to 500 the result count is also 500. But if the page_size is increased to 1500 there is an error. So, it appears the default is also the maximum.

Probably there is a method of setting the page_size directly in the command, but again I’m still learning and there isn’t much to find about this on the internet. Hopefully this helps you on your scripting adventures. If you have any comments or additional questions, please let me know.