Splunk® Supported Add-ons

Splunk Add-on for VMware

Install the Splunk Add-on for VMware in an on-premises environment

The Splunk Add-on for VMware performs several data collection and enrichment tasks. This guide takes you through installing the Splunk Add-on for VMware and its prerequisite add-ons in preparation for configuring data collection.

  1. Upload the Splunk_TA_vmware and SA-Hydra packages from Splunk Add-on for VMware to the data collection nodes.
  2. Upload the Splunk_TA_vmware and SA-Hydra packages from Splunk Add-on for VMware to the data collection scheduler.
  3. Upload the packages from the in Splunk Add-on for VMware Indexes, Splunk Add-on for vCenter Logs, Splunk Add-on for VMware ESXi Logs add-ons to the indexer(s).
  4. Add the packages from the Splunk Add-on for vCenter Logs, Splunk Add-on for VMware ESXi Logs, and Splunk Add-on for VMware Extractions to the search head(s).
  5. Add add-on components to forwarders (for log collection).
  6. Create a distributed collection scheduler. Data collection for VMware requires complex job management for connecting to and polling data from your environment. The scheduler is a Splunk component used to manage data collection jobs between your data collection nodes.

This table outlines a distributed deployment installation of the Splunk Add-on for VMware and its prerequisite add-ons. For single deployments, all components have to be installed on your single Splunk platform instance. The Splunk Add-on for VMware can't be installed using Splunk Web.

Splunkbase Component Search head Scheduler (DCS) Indexer Data Collection Node (DCN) Dedicated ESXi log forwarder Dedicated vCenter log forwarder
Splunk Add-on for VMware Splunk_TA_vmware


SA-Hydra

X X
Splunk Add-on for ESXi Logs Splunk_TA_esxilogs X X X
Splunk Add-on for vCenter Logs Splunk_TA_vcenter X X Optional* X
Splunk Add-on for VMware Indexes SA-VMWIndex X
Splunk Add-on for VMware Extractions TA-VMW-FieldExtractions X

(*)Depending on your specific configuration, you might also need Splunk_TA_vcenter to collect VCenter data.

Upload the Splunk Add-on for VMware to your Data Collection Nodes

If this is an upgrade from a previous version of The Splunk Add-on for VMware, see the following steps. Otherwise, you will need to configure data collection nodes to connect to and poll data from your VMware vCenters. Steps for setting up a Data Collection node can be found here

  1. Stop your Splunk platform instance on each of your DCNs.
  2. Upload Splunk_TA_vmware and SA-Hydra to each of your DCNs.
  3. Restart your Splunk platform instance each of your DCNs.

Upload the prerequisite add-on for Splunk Add-on for VMware to your search heads

If you are installing the Splunk Add-on for VMware on a search head cluster in a distributed deployment, you have to use a dedicated scheduler. To deploy the add-ons listed below, follow the guidance in Install an add-on in a distributed Splunk Enterprise deployment.


  1. Stop your Splunk platform instance.
    1. If you are using a search head cluster, extract the packages Splunk Add-on for VMware ESXi Logs (Splunk_TA_esxilogs), Splunk Add-on for vCenter Logs (Splunk_TA_vcenter), and Splunk Add-on for VMware Extractions (TA-VMW-FieldExtractions) from Splunkbase to $SPLUNK_HOME/etc/shcluster/apps/ on the deployer.
    2. If you are not using a search head cluster, extract and upload the Splunk Add-on for VMware ESXi Logs (Splunk_TA_esxilogs), Splunk Add-on for vCenter Logs (Splunk_TA_vcenter), and Splunk Add-on for VMware Extractions (TA-VMW-FieldExtractions) packages from Splunkbase to $SPLUNK_HOME/etc/apps.

      Note: No packages from Splunk Add-on for VMware are required on the search head.

  2. Restart your Splunk platform instance.

Note: The Hydra troubleshooting dashboards are now part of the Splunk Add-on for VMware Extractions. So, the SA-Hydra package isn't required on the search head for v4.0.3.

Update the default character count limitations for the search commands

The Splunk Add-on for VMware collects the VMware infrastructure inventory data. Because inventory data can have a much higher length for the collected JSON data, it might exceed the default length limit of 5000 characters. Complete the following steps to change the character length limit:

For search head cluster deployments

  1. Create a new file with the name limits.conf in the $SPLUNK_HOME/etc/shcluster/apps/TA-VMW-FieldExtractions/local directory on the deployer.
  2. Add the following stanza to the limits.conf file: 
    [spath]
# number of characters to read from an XML or JSON event when auto extracting
extraction_cutoff = 20000
extract_all = true
  3. Push the app bundle from the deployer. The deployer restarts all the search head cluster members after the upgrade is applied. If the deployer does not restart the search head cluster members, perform a rolling restart.

For dedicated search head deployments

  1. Create a new file with the name limits.conf in the $SPLUNK_HOME/etc/apps/TA-VMW-FieldExtractions/local directory on the search head.
  2. Add the following stanza to the limits.conf file: 
    [spath]
# number of characters to read from an XML or JSON event when auto extracting
extraction_cutoff = 20000
extract_all = true
  3. Restart the Splunk instance.

Upload the prerequisite add-on for Splunk Add-on for VMware to your indexer cluster deployment

  1. Enable maintenance mode on indexer master node.
  2. Download and extract the components of the Splunk Add-on for VMware Indexes (SA-VMWIndex), the Splunk Add-on for VMware ESXi Logs (Splunk_TA_esxilogs), and the Splunk Add-on for vCenter Logs (Splunk_TA_vcenter) to etc/master-apps on indexer master node.
  3. Restart indexer master node.
  4. Push configuration bundle from indexer master node.

Upload the prerequisite add-on for the Splunk Add-on for VMware to non-clustered indexer(s)

  1. Stop your Splunk indexer instance.
  2. Download and extract the components of the Splunk Add-on for VMware Indexes (SA-VMWIndex), the Splunk Add-on for VMware ESXi Logs (Splunk_TA_esxilogs), and the Splunk Add-on for vCenter Logs (Splunk_TA_vcenter) to etc/apps.
  3. Restart your Splunk indexer instance.

Upload the prerequisite add-on for the Splunk Add-on for VMware to forwarders

Collect logs from VMware vCenter and ESXi hosts by sending them through an intermediate forwarder or directly to your Splunk indexers.

Skip this step if you are forwarding logs directly to Splunk indexers from your ESXi hosts and vCenter Servers.

  1. Stop the forwarder
  2. On forwarder, under splunkforwarder/etc/apps, upgrade Splunk Add-on for VMware ESXi Logs(Splunk_TA_esxilogs) and Splunk Add-on for vCenter Logs(Splunk_TA_vcenter).
  3. The new add-on package includes props.conf and inputs.conf changes for vclogs, so user must update /local directory with these two files and enable the appropriate stanzas.
  4. Make sure under etc/system/local/output.conf, server entries to forward logs to your indexer(s) are present.
  5. Restart the forwarder

Upload Splunk Add-on for VMware to your scheduler

The scheduler is the instance of Splunk that manages connections to the Data Collection Nodes and manages data collection jobs across your DCNs and vCenters. For production environments the scheduler should not be on the same search head as your VMware App. We recommend using a license server, distributed management console or a stand alone Splunk instance as your scheduler.

  1. Stop Scheduler.
  2. Collection configuration UI is now present in TA VMware: upload Splunk_TA_vmware and SA-Hydra to etc/apps.
  3. Start the scheduler.
Last modified on 05 September, 2024
Set up your system for the Splunk Add-on for VMware   Configure the Splunk Add-on for VMware to collect data

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters