Install the Splunk OVA for VMware
Use the instructions below to install the Splunk OVA for VMware onto your Splunk platform deployment.
Data Collection Node resource requirements
DCNs communicate with the Collection Configuration page, which runs on the Splunk scheduler, to retrieve performance, inventory, hierarchy, task, and event data from vCenter servers.
- Each Data Collection Node (DCN) needs at least one CPU core for every 10 hosts from which the DCN is collecting data.
- Splunk recommends that you estimate the number of CPUs needed for your worker processes with the expectation that a CPU in your deployment will eventually fail at some point. Splunk recommends that you provision at least one extra CPU in order to help promote capacity and availability in your deployment.
Each DCN polls information for up to 70 ESXi hosts and 1,750 virtual machines. With this sizing, a site pulling information from 200 hypervisors and 5,000 VMs needs to create at least 3 DCNs.
DCN virtual appliance sizing is as follows:
- 8 CPU cores with 2GHz reserved
- 12 GB Memory with a reservation of 1GB
- 20 GB storage
To ensure reliable communication between systems, use static IP addresses and dedicated host names for each DCN. See Collect Data from vCenter Server systems using the VMware API.
Install the Splunk OVA for VMware in your virtual environment
- Open the vSphere client and log into vCenter Server.
- Invoke the OVA template wizard. Right click on ESXi Host > Deploy OVF Template.
- In the Deploy OVF Template wizard click Local file, then click UPLOAD FILES.
- Browse to the location of your OVA file,
splunk_data_collection_node_for_vmware_<version>-<build_number>.ova
, then click Next. - Note: You can't download the file directly from the URL. Splunk Apps requires that you be authenticated via a supported web browser before you begin your download.
- In the Name and Folder screen, provide a new name for the node VM. (You can use the default name, if you want.)
- Select a data center or folder as the deployment destination for the node VM, then click Next.
- Review the OVF template details, then click Next.
- In the Select Storage screen, choose the datastore where you want the VM and its filesystem to reside. The datastore can be from 4GB to 20GB. Click Next.
- On the Disk Format selection, select either Thin or Thick Provisioning, then click Next. We recommend thick provisioning.
- On the Select Network screen, to specify the networks that you want the deployed template to use. Use the Destination Networks menu to map your data collection node
.ova
template to one of the networks in your inventory. - Validate your selections in the Ready to complete dialog, then select Finish to begin deployment.
- Once deployed, click Close to complete the installation and exit the wizard.
- Resource your VM according to the data collection node resource requirements listed above.
- Locate the collection node VM in the vSphere Client tree view.
- Right-click on the collection node VM and choose Power > Power On from the menu to start the VM. When you power on the data collection node, Splunk starts automatically even though the VMware data collection mechanism is not configured. By default, the node VM boots and gets its network settings via DHCP. You can keep this default setting or you can set a static IP address. If you use DHCP, check the Summary tab in the vSphere client to get the IP address of the node VM.
- To ssh into the data collection node use the default username and password (
splunk/changeme
). You automatically land in/home/splunk
.- If you use DHCP, check the Summary tab in the vSphere client to get the IP address of the node VM.
- If you do not use DHCP, Go to the vSphere client and open the console where the OVA is deployed. Login using the "root" user and run
dcn-network-script
. Use the same IP in this script to SSH. See Configure the DCN system settings.
- Your Splunk platform is installed in
/opt
. - Set up forwarding to the port on which the Splunk indexer(s) is configured to receive data. See "Enable forwarding on a Splunk Enterprise instance" in the Forwarding Data manual.
- The default password for Splunk's admin user is
changeme
. This is true for all Splunk instances. We recommend that you change the password using the CLI for this forwarder. - Start your Splunk platform instance.
Now you can configure the DCNs and the Splunk settings for each DCN.
Create your own data collection node
You can build a data collection node and configure it specifically for your environment. Create and configure this data collection node on a physical machine or as a VM image to deploy into your environment using vCenter.
Build a data collection node
Whether you are building a physical data collection node or a data collection node VM follow the steps below. To build a data collection node VM we recommend that you follow the guidelines set by VMware to create the virtual machine and deploy it in your environment.
To build a data collection node:
- Install a RedHat Enterprise Linux version that is compatible with Splunk Enterprise version 9.2.2 or later.
- Install Splunk Enterprise version 9.2.2 or later, and configure it as a heavy forwarder.
- Download the Splunk OVA for VMware from Splunkbase.
- Copy the file
Splunk_add-on_for_vmware-<version>.tgz
from the download package, and move to$SPLUNK_HOME/etc/apps
. - Extract the file
Splunk_add_on_for_vmware-<version>.tgz
from$SPLUNK_HOME/etc/apps
. - Verify that the data collection components
SA-Hydra
,Splunk_TA_vmware
, andSplunk_TA_esxilogs
exist in$SPLUNK_HOME/etc/apps
. - Verify that the firewall ports are correct. The DCN communicates with splunkd on port 8089. The DCN communicates with the scheduler node on port 8008. Set up forwarding to the same port as your Splunk indexers.
- Navigate to
$SPLUNK_HOME/etc/apps/SA-Hydra/local
and open outputs.conf. - Uncomment the
[tcpout]
stanza. Save and exit. - (Optional) Disable the KVStore to reduce CPU overhead on your Splunk platform instance by navigating to
SPLUNK_HOME$/etc/system/local/
. - Open the
server.conf
file and disable thekvstore
stanza. - Save your changes and exit.
- After deploying the collection components, add the forwarder to your scheduler's configuration. Configure the Splunk OVA for VMWare in this manual.
Note: You cannot use a universal forwarder. It lacks necessary python libraries.
[kvstore] disabled = true
Learn More
- See the "deploy a heavy forwarder" section of the Splunk Enterprise Forwarding Data manual to learn how to deploy a heavy forwarder.
- See "Use forwarders to get data in" in the Splunk Enterprise Forwarding Data manual to learn more about forwarder configuration.
About the Splunk OVA for VMware | Configure the Splunk OVA for VMWare |
This documentation applies to the following versions of Splunk® OVA for VMware and NetApp: 4.0.7
Feedback submitted, thanks!