Splunk® Supported Add-ons

Splunk Add-on for VMware

Download manual as PDF

Download topic as PDF

Install the Splunk Add-on for VMware

The Splunk Add-on for VMWare performs several data collection and enrichment tasks. This guide will take you through installing the Add-on for VMWare components in preparation for configuring data collection. The steps for Splunk Add-on for VMWare installation are listed below:

  1. Upload the Add-on for VMware to your Data Collection Nodes
  2. Add Add-on components to search head(s)
  3. Add Add-on components to indexer(s)
  4. Add Add-on components to forwarders (for log collection)
  5. Create Distributed Collection Scheduler - data collection for VMWare requires complex job management for connecting to and polling data from your environment. The Scheduler is an instance of Splunk used to manage data collection jobs between your Data Collection nodes

The below table outlines a distributed deployment installation of the Splunk Add-on for VMware. For single deployments, all components must be installed on your single Splunk platform instance. The Splunk Add-on for VMware cannot be installed using a GUI.

Component Indexer Data Collection Node Syslog Server/Log Forwarder Scheduler
Splunk_TA_vmware X X X
Splunk_TA_esxilogs X X
Splunk_TA_vcenter X X
SA-Hydra X X X
SA-VMNetAppUtils X X X

Upload the Add-on for VMware to your Data Collection Nodes

If this is an upgrade from a previous version of The Splunk Add-on for VMWare or the Splunk App for VMWare then follow the below steps. Otherwise, you will need to configure data collection nodes to connect to and poll data from your VMWare vCenters. Steps for setting up a Data Collection node can be found here

  1. Stop your Splunk platform instance
  2. Upload TA_vmware, SA-VMNetAppUtils, and SA-Hydra to each of your DCNs
  1. Restart your Splunk platform instance

Upload the Add-on for VMware to your search heads

  1. Stop your Splunk platform instance.
  2. Upload SA-Hydra, SA-VMNetAppUtils, Splunk_TA_esxilogs, Splunk_TA_vcenter, and Splunk_TA_vmware to opt/splunk/etc/shcluster/apps/ on your deployer.
    1. deployer path update only necessary for search head clusters, otherwise add all components to etc/apps
  3. Restart your Splunk platform instance.

Upload the Add-on for VMWare to your indexer cluster deployment

  1. Enable maintenance mode on indexer master node.
  2. Add splunk_TA_vmware, splunk_TA_esxilogs, splunk_TA_vcenter on indexer master node.(Components are available on etc/master-apps)
  3. Make sure indexes.conf is present in etc/master-apps/_cluster/local with all app indexes defined and repFactor=auto is set for every index.
  4. Remove inputs.conf from default and inputs.conf.spec which is present in README file from splunk_TA_vmware.
  5. Remove SA-Hydra and SA-VMNetAppUtils if present
  6. Restart indexer master node.
  7. Push configuration bundle from indexer master node.

Upload to your stand alone indexer

  1. Stop your Splunk platform instance.
  2. Copy TA_vmware, TA_vcenter and TA_esxilogs to etc/apps.
    1. Note: SA-VMNetAppUtils and SA-Hydra are not required on the indexer
  3. Remove inputs.conf from default and inputs.conf.spec which is present in README file from splunk_TA_vmware.
  4. Restart your Splunk platform instance.

Upload to forwarders

Collect logs from VMWare vCenter and ESXi hosts by sending them through an intermediate forwarder or directly to your Splunk indexers.

Note: Skip this step if you are forwarding logs directly to Splunk indexers from your ESXi hosts and vCenter Servers.

  1. Stop the forwarder
  2. On forwarder, under splunkforwarder/etc/apps, upgrade Splunk_TA_vcenter and Splunk_TA_esxilog
  3. The new Add-on package includes props.conf and inputs.conf changes for vclogs, so user must update /local directory with these two files and enable the appropriate stanzas. More information on configuring log collection here
  4. Make sure under etc/system/local/output.conf, server entries to forward logs to your indexer(s) are present.
  5. Restart the forwarder

Upload TA-VMWare, SA-VMNetAppUtils and SA-Hydra to your scheduler

The scheduler the instance of Splunk that manages connections to the Data Collection Nodes and manages data collection jobs across your DCN's and vCenters. For production environments the scheduler should not be on the same search head as your VMWare App. We recommend using a license server, distributed management console or a stand alone Splunk instance as your scheduler.

  1. Stop Scheduler.
  2. Collection configuration UI is now present in TA VMWare: upload splunk_TA_vmware, SA-Hydra and SA-VMNetAppUtils to etc/apps
    1. For upgrades only: Delete all other VMWAre app components (SA-VMW-HierarchyInventory, SA-VMW-LogEventTask, SA-VMW-Performance, splunk_for_vmware, SA-Treshold
  3. Start the Scheduler

Learn More

See Use the deployer to distribute apps and configuration updates in the Splunk Enterprise Distributed Search manual.

Prepare your Data Collection Nodes
Configure the Splunk Add-on for VMware to collect data

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters