Splunk® Supported Add-ons

Splunk Add-on for VMware

Hardware and software requirements for the Splunk Add-on for VMware

Current add-on version Supported versions of VMware vCenter Server Supported versions of Splunk Enterprise
4.1.0 v7.0 and v8.0 9.1.x, 9.2.x, 9.3.x
  • For Splunk Enterprise system requirements: see System Requirements in the Splunk Enterprise Installation Manual.
  • If you are managing on-premises forwarders to get data into Splunk Cloud, see System Requirements in the Splunk Enterprise Installation Manual, which includes information about forwarders.

Browser support

The Splunk Add-on for VMware supports the the latest version of the following browsers:

  • Firefox
  • Safari
  • Chrome

Data Collection Scheduler requirements

A Data Collection Scheduler (DCS) schedules jobs and manages DCNs that collects data from vCenter Servers. If you're deploying VMware data collection in a distributed search head environment, deploy a DCS on a dedicated Splunk Enterprise instance. You don't have to configure forwarding or receiving on the DCS.

Depending on your VMware vSphere environment, you may want to deploy more than one DCS.

These are the requirements to run a DCS:

Splunk Enterprise version Operating system
9.1.x RHEL 9.2, Windows Server 2022
9.2.x RHEL 9.2, Windows Server 2022
9.3.x RHEL 9.2, Windows Server 2022

User account permissions

When you integrate a VMware vCenter Server on a DCS, you have to provide credentials for a user account associated with the vCenter Server on the DCS. The DCS uses the user account credentials to detect ESXi servers in the vCenter Server, and to poll metrics, task, event, and inventory data.

To collect vCenter performance metrics, the user account you provide on the DCS needs to have these permissions:

  • System.Anonymous
  • System.Read
  • System.View

If you provide a user-defined role, it contains the System.Anonymous, System.Read, and System.View permissions, even if you don't associate them with the role manually.

Data Collection Node requirements

Each DCN runs worker processes to collect VMware data from vCenter servers. You can run N-1 worker processes, where N is the number of the DCNs available CPU cores. The DCN requires physical CPU cores, and can't benefit from simultaneous multithreading (SMT). Each worker process can manage 10 ESXi hosts and up to 30 virtual machines per host when collecting the default metrics. If the add-on is configured to collect all the metrics, maximum of 10 VMs can be assigned to 1 ESXi host.

<warning>You can configure maximum 8 worker processes (WP) on 1 DCN. If more than 8 WP are required to monitor your infrastructure, you can setup multiple DCNs reporting to the same DCS. Setting more than 8 WP on 1 DCN can lead to job expirations resulting in data loss.</warning>

Configuration Standard guideline per worker process
If the add-on not collecting instance level data 10 ESXi hosts and 30 VMs per ESXi host.
If the add-on is configured to collect instance level data.

When you collect all metrics, the number of metrics and instances might change according to the vCenter Server configuration, so it might require more resources.

10 ESXi hosts and 10 VMs per ESXi host

The following are the Splunk platform and operating system requirements to run a DCN if you don't use the Splunk OVA for VMware. For more information, see About the Splunk OVA for VMware:

Splunk Enterprise version Operating system
9.1.x RHEL 9.2, Windows Server 2022
9.2.x RHEL 9.2, Windows Server 2022
9.3.x RHEL 9.2, Windows Server 2022


About the Splunk OVA for VMware:

Data volume requirements

In a typical environment, approximately 250 MB and 350 MB of data can be collected per host per day from your environment. This number varies depending on the volume of log data you collect, and the number of virtual machines that reside on a host. See the information below for further details.

Collected data type Data volume
Total vCenter logs 15 MB of data per host per day per vCenter. For example, 750MB in a 50 host environment.
ESXi host logs 185 MB of data per host per day. (In a typical environment this number can range from 135MB to 235M of data, but it can vary widely depending on your environment).
Total API data per host 10 MB of data per host per day.
Total API data per virtual machine 3 MB of data per day.

Compatibility with pre-requisite add-on packages

The packages SA-VMWIndex, TA-VMW-FieldExtractions, Splunk_TA_esxilogs, Splunk_TA_vcenter that were included in add-on v4.0.2 or previous are now shipped as individual Splunkbase add-ons as of v4.0.3. Please refer to the table for the add-on version compatibility with the new packages. The given add-ons are pre-requisites for the Splunk Add-on For VMware. Below is the purpose of each add-ons:

  1. Splunk Add-on for VMware Indexes (contains SA-VMWIndex package): Contains the definition of indexes that are used by Splunk Add-on for VMware, Splunk Add-on for vCenter Logs, and Splunk Add-on for VMware ESXi Logs.
  2. Splunk Add-on for VMware Extractions (contains TA-VMW-FieldExtractions package): Contains the field extractions for the data ingested by Splunk Add-on for VMware and search-time extractions used in Splunk App for VMware.
  3. Splunk Add-on for VMware ESXi logs (contains Splunk_TA_esxilogs package): Contains inputs, search-time and Index-time extractions for the collection, parsing, and ingestion of VMware ESXi logs in the Splunk environment.
  4. Splunk Add-on for vCenter Logs (contains Splunk_TA_vcenter package): Contains the inputs, search-time and index-time extractions for the collection, parsing, and ingestion of vCenter logs in the Splunk environment.
Splunk Add-on for VMware version Compatible Splunk Add-on for VMware Indexes version Compatible Splunk Add-on for VMware Extractions version Compatible Splunk Add-on for VMware ESXi Logs version Compatible Splunk Add-on for VMware vCenter Logs version
4.0.3 4.0.3 4.0.3 4.2.1 4.2.1
4.0.4 4.0.3 4.0.3 4.2.1 4.2.1
4.0.5 4.0.3 4.0.3 4.2.1 4.2.1
4.0.6 4.0.3 4.0.3 4.2.1 4.2.1
4.1.0 4.0.3 4.0.3 4.2.1 4.2.1

Version compatibility

Compatible Splunk platform version Compatible Splunk Add-on for VMware version Compatible vCenter version Compatible vSphere version Compatible ESXi version Compatible SA-Hydra version
7.3.x to 8.2.0 4.0.2 6.0, 6.5, 6.7 6.0, 6.5, 6.7 6.0, 6.5, 6.7 4.1.5
8.0.x to 8.2.0 4.0.3 6.5, 6.7, 7.0 6.5, 6.7, 7.0 6.5, 6.7, 7.0 4.1.7
8.0.x to 9.0.0 4.0.4 6.5, 6.7, 7.0 6.5, 6.7, 7.0 6.5, 6.7, 7.0 4.1.8
8.1.x to 9.0.x 4.0.5 6.5, 6.7, 7.0 6.5, 6.7, 7.0 6.5, 6.7, 7.0 4.1.9
8.2.x to 9.1.x 4.0.6 7.0 7.0 7.0 4.1.10
9.1.x to 9.3.x 4.1.0 7.0, 8.0 7.0, 8.0 7.0, 8.0 4.1.10

Requirements for installing Splunk Add-on for VMware with other add-ons

The following requirements apply to installing Splunk Add-on for VMware and Splunk Add-on for VMware Metrics in the same environment:

Splunk Add-on for VMware Metrics version Splunk Add-on for VMware version Can DCS be installed on the same machine? Can DCN be installed on the same machine?
4.0.0 or later 3.4.7 Yes No
1.0.0, 1.1.0 or 1.1.1 (Splunk VMware Add-on for ITSI) 3.4.7 No No

The following requirements apply to installing Splunk Add-on for NetApp ONTAP and Splunk Add-on for VMware in the same environment:

Splunk Add-on for NetApp ONTAP version Splunk Add-on for VMware version Can DCS be installed on the same machine? Can DCN be installed on the same machine?
3.0.0 or later 3.4.6 or later No No
2.1.91 or before 3.4.5 or before Yes No
Last modified on 05 September, 2024
Release history for Splunk Add-on for VMware   Installation and configuration overview for the Splunk Add-on for VMware

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters