Splunk® Supported Add-ons

Splunk Add-on for VMware

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Upgrade to the Splunk Add-on for VMware 4.0.2

If you have not removed uuid.py from Scheduler or DCN, you'll get the following error: [Error "ImportError: bad magic number in 'uuid': b'\x03\xf3\r\n'" in hydra logs.]. The error is described in Troubleshoot the Splunk Add-on for VMware and requires you to manually delete the pyc file.

Step 1: Download the files from Splunkbase

  1. Download the Splunk Add-on for for VMware version 4.0.2 from Splunkbase to a location in your environment.
  2. Download the Splunk OVA for VMware version 4.0.2 from Splunkbase to a location in your environment.

Step 2: Upgrade scheduler

You can upgrade the scheduler using a script or manually.

Upgrade using a script

Make sure the splunk_vmware_admin role has admin_all_objects capability.

  1. Download the script file: File:Upgade from VMware Event TA 400 401 to 402.zip.
  2. Unzip it to get the upgrade script.
  3. Put the upgrade script on the scheduler machine.
  4. Stop the scheduler. You can stop the scheduler in the Collection Configuration page of your scheduler machine.
  5. Stop Splunk on the scheduler instance.
  6. Extract the contents of the Splunk Add-on for VMware to the $SPLUNK_HOME/etc/apps directory. Extracting the package contents overwrites the Splunk_TA_vmware and SA-Hydra packages.
  7. Go to $SPLUNK_HOME/etc/apps and remove the following directories:
    1. SA-VMWIndex
    2. TA-VMW-FieldExtractions
    3. Splunk_TA_vcenter
    4. Splunk_TA_esxilog
  8. Run the upgrade script using Python. Use the following command to run the script:

$SPLUNK_HOME/bin/splunk cmd python upgrade_script_event_TA.py

You'll see a message saying that the Add-on upgraded successfully. In case of errors, refer to the upgrade_event_TA.log file in the $SPLUNK_HOME/var/log/splunk directory.

Upgrade manually

  1. Stop the scheduler. You can stop the scheduler in the Collection Configuration page of your scheduler machine.
  2. Stop Splunk on the scheduler instance.
  3. Extract the contents of the Splunk Add-on for VMware to the $SPLUNK_HOME/etc/apps directory. Extracting the package contents overwrites the Splunk_TA_vmware and SA-Hydra packages.
  4. Go to $SPLUNK_HOME/etc/apps and remove the following directories:
    1. SA-VMWIndex
    2. TA-VMW-FieldExtractions
    3. Splunk_TA_vcenter
    4. Splunk_TA_esxilog
  5. In the $SPLUNK_HOME/etc/apps directory, replace the present words in the ta_vmware_collection.conf file with the following replacement words in this table:
Parameter name in Splunk Add-on for VMware version 4.0.1 Parameter name in Splunk Add-on for VMware version 4.0.2
managed_host_whitelist managed_host_includelist
managed_host_blacklist managed_host_excludelist
vm_metric_whitelist vm_metric_allowlist
vm_metric_blacklist vm_metric_denylist
host_metric_whitelist host_metric_allowlist
host_metric_blacklist host_metric_denylist
cluster_metric_whitelist cluster_metric_allowlist
cluster_metric_blacklist cluster_metric_denylist
rp_metric_whitelist rp_metric_allowlist
rp_metric_blacklist rp_metric_denylist
vm_instance_whitelist vm_instance_allowlist
vm_instance_blacklist vm_instance_denylist
host_instance_whitelist host_instance_allowlist
host_instance_blacklist host_instance_denylist
cluster_instance_whitelist cluster_instance_allowlist
cluster_instance_blacklist cluster_instance_denylist
rp_instance_whitelist rp_instance_allowlist
rp_instance_blacklist rp_instance_denylist
perf_entity_blacklist perf_entity_denylist

Step 3: Upgrade forwarder (DCN)

Make sure '''splunk_vmware_admin''' role has '''admin_all_objects''' capability.

  1. Stop the Splunk on DCN machine.
  2. Extract the contents of the Splunk add-on for VMware to the $SPLUNK_HOME/etc/apps directory. Extracting the package contents overwrites the add-on packages installed previously.
  3. Go to $SPLUNK_HOME/etc/apps and remove the following directories:
    1. SA-VMWIndex
    2. TA-VMW-FieldExtractions
    3. If you are forwarding the vCenter logs to the indexer directly, remove the Splunk_TA_vcenter directory. If you are forwarding the ESXi logs to the indexer directly, remove the Splunk_TA_esxilogs directory.

Step 4: Upgrade indexer (Optional)

  1. Enable maintenance mode on cluster master node.
  2. Navigate to the apps folder for your deployment (etc/apps for non-indexer cluster deployments, and etc/master-apps for indexer clustering deployments) and overwrite Splunk_TA_esxilogs, splunk_TA_vcenter, and SA-VMWIndex on the cluster master node with new versions.
  3. If forwarding VC Logs and ESXi logs to DCN machine, remove the Splunk_TA_vcenter directory. If you are forwarding the ESXi logs to the DCN, remove the Splunk_TA_esxilogs directory.
  4. Push configuration bundle from cluster master node if you set up an indexer cluster.

Step 5: Upgrade the forwarder on your vCenter server(s)

This applies only to Windows-based vCenter servers - not vCSA.

Stop your Splunk forwarder.

  1. Extract the contents of the Splunk Add-on for VMware package to splunkforwarder/etc/apps. This overwrites the existing Splunk_TA_vcenter package.
  2. Remove the following packages from splunkforwarder/etc/apps:
    1. Splunk_TA_vmware
    2. SA-Hydra
    3. TA-VMW-FieldExtractions
    4. Splunk_TA_esxilogs
  3. Confirm that in etc/system/local/output.conf, server entries to forward vclogs are present.
  4. Restart your Splunk forwarder.

Step 6: Upgrade search head

For search head cluster deployments

  1. Extract the add-on package components to etc/shcluster/apps.
  2. Remove Splunk_TA_vmware and SA-VMWIndex from etc/shcluster/apps/ from your deployer.
  3. Push the app bundle from the deployer. The deployer restarts all the search head cluster members after the upgrade is applied. If the deployer does not restart the search head cluster members, perform a rolling restart.

For dedicated search head deployments

  1. Stop Splunk on the search head.
  2. Extract the add-on package components to etc/apps.
  3. Remove the Splunk_TA_vmware and SA-VMWIndex packages from etc/apps.
  4. Restart Splunk on the search head.

Step 7: Start the scheduler and the DCN

  1. Start Splunk on the DCN machine.
  2. Start Splunk on the scheduler machine.
  3. Navigate to the Collection Configuration page of the Splunk Add-on for VMware on your scheduler.
  4. Click the "Start Scheduler" button to start data collection.

Validate the Splunk App for VMware upgrade on your search head

Validate that you correctly upgraded the Splunk App for VMware to the latest version and that the app can collect data.

  1. Log in to the Splunk App for VMware on your search head.
  2. When the app displays the Splunk for VMware Setup page, select the Delete all deprecated Add-ons checkbox under Disable/delete old add-ons. The app removes all legacy add-ons from the installation. This removes saved searches of SA-VMW-Performance that are no longer in use.
  3. Save your configurations, and restart your Splunk platform deployment.

Manually remove legacy add-ons

If you launched Splunk App for VMware but did not check Delete all deprecated Add-ons on the setup page, you can manually remove the legacy add-ons from your installation.

  1. Stop the Splunk platform on your search head.
  2. Delete the hydra_job.conf file in the $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local folder on the Splunk Search head.
  3. Remove the SA-VMW-Licensecheck folder from the $SPLUNK_HOME/etc/apps folder on your Splunk search head. Do this for each server upon which you installed the Splunk App for VMware.
  4. The below table shows the specific legacy add-ons, located in the $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local folder of the Splunk App for VMware, to delete when upgrading:
    • DA-VMW-HierarchyInventory
    • DA-VMW-LogEventTask
    • DA-VMW-Performance
    • SA-VMW-Licensecheck
  5. Restart your Splunk platform.

Additional information

See "Platform and Hardware Requirements" in this manual for supported Splunk platform versions for this release. See "How to upgrade Splunk Enterprise" to upgrade to a new version of the Splunk platform.

For information on upgrading from tsidx namespaces to data model acceleration, see the "Upgrade from tsidx namespaces to data model acceleration" section of the troubleshooting section of this manual.

Last modified on 28 September, 2021
PREVIOUS
Install the Splunk Add-on for VMware in a cloud environment
  NEXT
Upgrade the Splunk Add-on for VMware from v4.0.2 to v4.0.3

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters