Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

About configuration files

Configuration files referenced in this manual

file name Description
outputs.conf Configure an outputs.conf file for this Splunk FA VM to send the data that you collect from your environment to a Splunk indexer. To learn more about outputs.conf see the spec and configuration files in the Splunk Admin manual. Also see Configure forwarders with outputs.conf in the Splunk Distributed Deployment manual.
engine.conf The engine.conf file is a configuration file created on the FA VM to collect machine data. You configure this engine.conf file to collect data from your VMware environment and to forward the data from the machines you are splunking in your VMware environment to the Splunk indexer/search head.
This file is read by "the engine", the main data collection module inside the FA VM. Individual stanzas in engine.conf correspond to VC machines or ESX/i hosts to query for data. Within a stanza, actions correspond to the type(s) of data to query, while intervals and other settings correspond to data gathering frequency. This file is responsible for defining:
  • The target machine(s) to query.
  • The type(s) of data to query.
  • The frequency at which to execute data gathering actions.

You must have service account(s) created and the associated credentials, before creating the engine.conf file(s).

inputs.conf This file is used to start up an instance of engine.pm. Engine instances are run by Splunk based on the stanzas found in the inputs.conf file. Multiple engines can run concurrently. The inputs.conf file is used to start up an instance of the engine (the main data collection module inside the FA Add-on). Engine instances are run by Splunk based on the stanzas found in the inputs.conf file. Specifically, you must create a "scripted input" that calls the engine and takes the absolute path of the engine.conf file as an argument. To learn more about inputs.conf , see the spec and configuration files in the Splunk Admin manual. Also see Configure your inputs in the Splunk Getting Data in manual.
props.conf This correctly sets the timezone for vCenter (VC) log files as they do not contain time zone information. A light forwarder (LF) or universal forwarder (UF) does not parse events to get a timestamp. This is done by the indexers. However, the log data sent by the VC Add-on does not include timezone information which can cause problems when indexers do not reside in the same timezone as the forwarder. To resolve this issue, you must add timezone information to props.conf on the indexers.

The props.conf file is located in the following directory on your indexer(s): On Linux or Unix systems:
$SPLUNK_HOME/etc/apps/splunk_for_vmware/local/props.conf
On Windows systems: $SPLUNK_HOME\etc\apps\splunk_for_vmware\local\props.conf

server.conf modify the "serverName" setting in the server.conf file. Substitute the current value with the same value that you set in the inputs.conf file (e.g. "splunkfa1"):

serverName = splunkfa1. You can change the NTP servers that your FA VM uses by editing the /etc/ntp.conf file.

Last modified on 22 July, 2013
Data collection split between six engine.conf files   engine.conf settings

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters