Splunk® App for VMware (Legacy)

Release Notes

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Upgrade instructions

Upgrade from Beta to 1.0GA

This topic discusses what you need to know to upgrade from a previous beta version of Splunk for VMware to the latest release, Splunk for VMware 1.0GA.

Upgrade from Beta1 and earlier releases to 1.0GA

You must perform a new installation of the Splunk for VMware 1.0 GA release. Splunk for VMware does not support a direct upgrade from the Beta1 version to the 1.0GA release version. Before installing the latest release you must clean up your existing Splunk for VMware installation. For instructions on how to do this, see Clean up your Splunk for VMware installation in this topic. When this is done, you can install the latest software release. As a starting point, see the Preparation checklist in the Splunk for VMware Installation and Configuration Guide.

Upgrade from Beta 2 to 1.0GA

If you have the Beta 2 software version installed and deployed in your environment , you can perform an in-place upgrade. To upgrade to Splunk for VMware 1.0GA, download and install the Splunk FA VM. See About the FA VM in the Splunk for VMware Installation and Configuration Guide. To get help upgrading to Splunk for VMware 1.0 GA, see How to get help.

If you have Splunk for VMware Beta 2 running in your environment, select the upgrade path that most suits your needs:

  • Perform a new installation of the 1.0GA release: We highly recommend performing a new installation of the 1.0 release. It is the most direct path to follow. Splunk for VMware 1.0 contains configuration tools that automatically construct your configuration files. Before installing, clean up your existing Splunk for VMware environment (see instructions below). See the Installation and Configuration Guide to install the latest software.
  • Perform an in-place upgrade with our help: We are happy to help you upgrade. To get help upgrading to Splunk for VMware 1.0 GA, see How to get help.
  • Perform an in-place upgrade on your own: When performing an in-place upgrade you don't have to re-deploy and configure the FA VM. This can be a big saving in terms of time and cost in some environments. Do a new install of the other solution components (the Splunk App for Vmware and Splunk TA-vcenter) for 1.0.

Upgrade instructions

To upgrade Splunk for VMware:

  1. Clean up your existing Splunk for VMware environment. For instructions on how to do this, see Clean up your Splunk for VMware installation in this topic.
    IMPORTANT: Do not shutdown and de-commission the FA VM. Skip this step.
  2. To install the latest version of the Splunk App for VMware, see Install the App.
  3. To install the latest version of the Splunk Technology Add-on for VMware vCenter (formerly “Splunk Add-on for vCenter”), see Install the vCenter Add-on.
  4. Upgrade the FA VM in-place:
    1. Run enginebuilder.py to create new configuration files to work with this software release. Follow the procedure outlined in Configure data collection. To learn more, see enginebuilder.py in this manual. We do not recommend using your old configuration files.
    2. Clean the FA VM:
      splunk clean all -f
    3. Start splunk:
      splunk start
    4. Your FA VM is now upgraded and running.


To manually upgrade the FA VM:

  1. Log into your FA VM as the “splunkadmin” user.
  2. Stop splunk:
    splunk stop
  3. If you modified configuration files in the FA Add-on(engine.conf and inputs.conf), copy the contents of the directory $SPLUNK_HOME/etc/apps/splunk_for_vmware_appliance/local, where the custom configuration files reside, to a temporary location so that your changes will be preserved.
  4. Remove the entire FA Add-on directory and all of its sub-directories. The FA Add-on is located in $SPLUNK_HOME/etc/apps/splunk_for_vmware_appliance.
  5. Download the “Splunk Technology Add-on for VMware” from Splunkbase and transfer it to the FA VM.
  6. Unzip the contents into $SPLUNK_HOME/etc/apps. This creates a $SPLUNK_HOME/etc/apps/Splunk_TA_vmware directory.
  7. Copy configuration files saved earlier into the >code>$SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local directory.

Important: If you increase the amount of data that you are collecting with the FA VM (for example, by adding more VCs and/or ESX/i hosts into your engine.conf files), you must check the resource requirements for the FA VM and increase the amount of CPU and memory resources available to your FA VM to support the load. For more information, see System Requirements in the Splunk for VMware Installation and Configuration Guide.

Clean up older versions of Splunk for VMware

If you have a version of Splunk for VMware prior to the 1.0GA release installed and deployed in your environment, remove it and clean up your installation before you deploy Splunk for VMware 1.0GA.

Remove the Splunk App for VMware

To remove the Splunk App for VMware from all of your search heads/indexers:

  1. Stop Splunk on all search heads/indexers where the Splunk App for VMware was installed.
  2. Copy your $SPLUNK_HOME/etc/apps/splunk_for_vmware/local directory to a temporary location. The local directory contains all of teh customizations that you made in the App (custom views, saved searches, macros, and so on).
  3. Go to $SPLUNK_HOME/etc/apps/splunk_for_vmware to locate the App and remove the entire App directory and all of its sub-directories on all of your search heads / indexers.
  4. Remove all of the old VMware data on all of your search heads/indexers:
    splunk clean eventdata vmware -f
  5. You can now install Splunk for VMware 1.0 on your search heads/indexers. See the Splunk for VMware Installation and Configuration Guide for detailed instructions. If you do not want to install Splunk for VMware, you can start your Splunk instance on all of your search heads/indexers now.

Remove the Splunk Add-on for vCenter

To remove the Splunk Add-on for vCenter from your vCenter Server forwarders:

  1. On the vCenter Server machines where the previous Splunk Add-on for vCenter version was installed, shut down the Splunk forwarder.
  2. If you created an inputs.conf.template file (containing your VC instance name) in $SPLUNK_HOME/etc/apps/splunk_for_vmware_vcenter/local, copy it to a temporary location.
  3. Remove the entire Add-on directory, $SPLUNK_HOME/etc/apps/splunk_for_vmware_vcenter , and all of its sub-directories on all of your vCenter Servers.
  4. You can now install Splunk for VMware 1.0 on your vCenter forwarders. See the Splunk for VMware Installation and Configuration Guide for instructions on how to do this. If you do not want to install Splunk for VMware 1.0, start the Splunk forwarder on all of your vCenter Servers now.

Shut down and de-commission the Splunk FA VM

To shut down and de-commission the Splunk FA VM:

  1. Log into the FA VM as the “splunkadmin” user.
  2. Stop splunk in the FA VM:
    splunk stop
  3. Copy all custom configurations that you made in your FA VM (for example, outputs.conf, engine.conf, inputs.conf) and save a copy of your “local” config files to a temporary location. You can find all the files in #: $SPLUNK_HOME/etc/apps/splunk_for_vmware/local or $SPLUNK_HOME/etc/system/local.
  4. Shutdown the OS and halt operation:
    sudo shutdown –h now
  5. Your previous FA VM version is now de-commissioned and you can deploy a new version of the FA VM. See the Splunk for VMware Installation and Configuration Guide for instructions on how to install Splunk for VMware 1.0.
Last modified on 26 September, 2012
Where to get Splunk for VMware   How to get help with Splunk App for VMWare

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters