Splunk® App for VMware (Legacy)

Installation Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Upgrade to Splunk App for VMware 3.4.4

Step 1: Download the files from Splunkbase

  1. Download the Splunk App for VMware version 3.4.4 from Splunkbase to a location in your environment.
  2. Download the Splunk Add-on for for VMware version 3.4.4 from Splunkbase to a location in your environment.
  3. Download the Splunk OVA for VMware version 3.4.4 from Splunkbase to a location in your environment.

Step 2: Upgrade scheduler

Note: Make sure splunk_vmware_admin role has admin_all_objects capability.

  1. Stop your Scheduler. You can do this by stopping the Splunk platform on your Splunk search head, or you can stop the scheduler in the Collection Configuration page of your deployment.
  2. Overwrite splunk_TA_vmware, SA-Hydra and SA-VMNetAppUtils on your scheduler with new versions.
  3. Delete splunk_for_vmware, Splunk_TA_esxilogs, Splunk_TA_vcenter, SA-VMW-Performance, SA-VMW-LogEventTask, SA-VMW-HierarchyInventory, SA-VMWIndex and TA-VMW-FieldExtractions from your scheduler.
  4. (Optional) If you are using your scheduler to collect data and want to keep the Splunk App for VMware running, then install and upgrade all app components.

Step 3: Upgrade forwarder (DCN)

Note: Make sure splunk_vmware_admin role has admin_all_objects capability.

  1. Verify that your DCN components are the same as the components on your vCenter.
  2. (Optional) If your DCN is on version 6.2.x or earlier, upgrade your DCN's Splunk platform to version 7.0.0 and higher.
  3. Overwrite versions of Splunk_TA_vmware, SA-Hydra, SA-VMNetAppUtils and Splunk_TA_esxilogs on each data collection node with new versions.

Step 4: Upgrade indexer

  1. Enable maintenance mode on cluster master node.
  2. Navigate to the apps folder for your deployment (etc/apps for non-indexer cluster deployments, and etc/master-apps for indexer clustering deployments) and overwrite splunk_TA_esxilogs, splunk_TA_vcenter, and SA-VMWIndex on the cluster master node with new versions.
  3. Remove SA-Hydra, SA-VMNetAppUtils, Splunk_TA_vmware, and TA-VMW-FieldExtraction, if present.
  4. Push configuration bundle from cluster master node.

Step 5: Upgrade search head

Note: Make sure splunk_vmware_admin role has admin_all_objects capability.

For search head cluster deployments

  1. Upgrade all the components on search head deployer. Components are located in etc/apps.
  2. Copy the local folder from etc/apps/Splunk_TA_vmware from Search head to etc/shcluster/apps/TA-VMW-FieldExtractions on deployer.
  3. Delete Splunk_TA_vmware from etc/shcluster/apps/ on your deployer.
  4. Delete savedsearches.conf and tsidx_retention.conf from etc/shcluster/apps/SA-VMW-Performance/default/ on your deployer before applying the upgrade bundle.
  5. Push app bundle from deployer. The deployer will restart all the search head cluster members after the upgrade is applied. If deployer does not restart the search head cluster members, perform a rolling restart.

For dedicated search head deployments

  1. Upgrade all the components on Search head. Components are located in etc/apps.
  2. Copy the local folder from Splunk_TA_vmware to TA-VMW-FieldExtractions from etc/apps on Search head.
  3. Delete Splunk_TA_vmware from etc/apps/.
  4. Delete savedsearches.conf and tsidx_retention.conf from etc/apps/SA-VMW-Performance/default/ on your Search head.
  5. Splunk restart on Search head.

Step 6: Upgrade the forwarder on your vCenter server(s) This applies only to Windows-based vCenter servers - not vCSA.

  1. Stop your Splunk forwarder.
  2. On your vCenter server, navigate to splunkforwarder/etc/apps, and overwrite Splunk_TA_vcenter.
  3. Delete your local directory.
  4. Copy inputs.conf to local and enable stanza as per the vCenter server in this environment.
  5. Confirm under etc/system/local/output.conf, server entries to forward vclogs are present.
  6. Restart your forwarder.

Note: If you forward logs directly to Splunk indexes, or use an intermediate syslog forwarder, you do not need to set the inputs for vCenter logs.

Step 7: Start the scheduler

  1. Navigate to the Collection Configuration page of the Splunk Add-on for VMware on your scheduler.
  2. Start your scheduler.

Validate the Splunk App for VMware upgrade on your search head

Validate that you correctly upgraded the Splunk App for VMware to the latest version and that the app can collect data.

  1. Log in to the Splunk App for VMware on your search head.
  2. When the app displays the Splunk for VMware Setup page, select the Delete all deprecated Add-ons checkbox under Disable/delete old add-ons. The app removes all legacy add-ons from the installation. This removes saved searches of SA-VMW-Performance that are no longer in use.
  3. Save your configurations, and restart your Splunk platform deployment.

Manually remove legacy add-ons

If you launched Splunk App for VMware but did not check Delete all deprecated Add-ons on the setup page, you can manually remove the legacy add-ons from your installation.

  1. Stop the Splunk platform on your search head.
  2. Delete the hydra_job.conf file in the $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local folder on the Splunk Search head.
  3. Remove the SA-VMW-Licensecheck folder from the $SPLUNK_HOME/etc/apps folder on your Splunk search head. Do this for each server upon which you installed the Splunk App for VMware.
  4. The below table shows the specific legacy add-ons, located in the $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local folder of the Splunk App for VMware, to delete when upgrading:
    • DA-VMW-HierarchyInventory
    • DA-VMW-LogEventTask
    • DA-VMW-Performance
    • SA-VMW-Licensecheck
  5. Restart your Splunk platform.

Additional information

See "Platform and Hardware Requirements" in this manual for supported Splunk platform versions for this release. See "How to upgrade Splunk Enterprise" to upgrade to a new version of the Splunk platform.

For information on upgrading from tsidx namespaces to data model acceleration, see the "Upgrade from tsidx namespaces to data model acceleration" section of the troubleshooting section of this manual.

Last modified on 01 May, 2019
Troubleshoot Splunk App for VMware  

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.4.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters