Splunk® Content Packs for ITSI and IT Essentials Work

Splunk Content Packs for ITSI and IT Essentials Work

Acrobat logo Download manual as PDF

Acrobat logo Download topic as PDF

Install and configure the Content Pack for VMware Monitoring

Perform the following high-level steps to configure the Content Pack for VMware Monitoring:

  1. Install and configure the Splunk Add-on for VMware Metrics
  2. Install the Content Pack for VMware Monitoring
  3. Review and tune the VMware KPI base searches
  4. Review and tune the KPI thresholds
  5. Turn the simple service tree into a complex tree


Create a full backup of your ITSI environment in case you need to uninstall the content pack later. For more information, see Create a full backup in the Administer Splunk IT Service Intelligence manual.

Step 1: Install and configure the Splunk Add-on for VMware Metrics

To bring the metrics data for these data sources into ITSI, you must download the Splunk Add-on for VMware Metrics from Splunkbase and install it prior to installing the content pack. For instructions, see Installation and configuration overview for the Splunk Add-on for VMware Metrics in the Splunk Add-on for VMware Metrics manual.

Step 2: Install the content pack

The Content Pack for VMware Monitoring is automatically available for installation once you have installed the Splunk App for Content Packs on the search head with ITSI 4.8.0 or higher. For steps to install the Splunk App for Content Packs, go to the installation instructions for the Splunk App for Content Packs. After you install the Splunk App for Content Packs, you can follow these steps install the content pack:

  1. From the ITSI main menu, click Configuration > Data Integrations.
  2. Click Add structure to your data.
  3. Select the VMware Monitoring content pack.
  4. Review what's included in the content pack and then click Proceed.
  5. Configure the settings:
    • Choose which objects to install: For a first-time installation, select the items you want to install and deselect any you're not interested in. For an upgrade, the installer identifies which objects from the content pack are new and which ones already exist in your environment from a previous installation. You can selectively choose which objects to install from the new version or install all objects.
    • Choose a conflict resolution rule for the objects you install: For upgrades or subsequent installs, decide what happens to duplicate objects introduced from the content pack. Choose from these options:
      • Install as new: Any existing identical objects in your environment remain intact.
      • Replace existing: Existing identical objects are replaced with those from the new installation. Any changes you previously made to these objects are overwritten.
    • Import as enabled: Select whether to install objects as enabled or leave them in their original state. We recommend that you import objects as disabled to ensure your environment doesn't break from the addition of new content. This setting only applies to services, correlation searches, and aggregation policies. All other objects such as KPI base searches and saved searches are installed in their original state regardless of the option you choose.
    • Add a prefix to your new objects: Optionally, append a custom prefix to each object installed from the content pack. For example, you might prefix your objects with CP- to indicate they came from a content pack. This option can help you locate and manage the objects after installation.
    • Backfill service KPIs: Optionally backfill your ITSI environment with the previous seven days of KPI data. Consider enabling backfill if you want to configure adaptive thresholding and predictive analytics for the new services. This setting only applies to KPIs, not service health scores.
  6. When you've made your selections, click Install selected.
  7. Click Install to confirm the installation. When the installation completes you can view all objects that were installed in your environment. A green checkmark on the Data Integrations page indicates which content packs you've already installed.

Step 3: Review and tune the VMware KPI base searches

Within ITSI, go to Configuration > KPI Base Searches and review the following KPI base searches shipped with this content pack:

  • VMware ESXi
  • VMware vCenter
  • VMware Virtual Machines

If you're not using the default indexes used by Splunk_TA_VMware, you need to edit the search strings for each base search to match your index structure.

The KPI base searches are specifically optimized for use with data from the Splunk Add-on for VMware Metrics. They all run every minute with a five-minute lookback, using only the latest value on a per-entity basis. The 5-minute lookback ensures that you won't see N/A for less frequent data. The combination of "every-minute" and "latest" means that for data collected more frequently, the KPI status is updated as quickly as possible. Tune each base search to run at a frequency matching your data collection interval.

Step 4: Review and tune the KPI thresholds

The KPIs in each service template are tied to the VMware KPI base searches and have thresholds representing best practices. KPI thresholds are set to use Normal / Low / Medium at the aggregate level. Per-entity thresholds do not exceed Medium except for available disk space. The use of lower threshold levels for monitoring allows application-level KPIs to take a more prominent threshold level. For example, a server at 100% CPU isn't a critical issue if the apps running on that server are responding as they should.

You must tune these threshold values according to your environment. Use the corresponding linked services to validate your thresholds. For more information, see Configure KPI thresholds in ITSI in the Service Insights manual.

Step 5: Turn the simple service tree into a complex tree

Once you install the content pack and configure the thresholds in your VMware services, the service topology tree looks something like this:


You can further break down hypervisors monitoring by datacenter and cluster. You can't break down virtual machines unless you modify the base search. When designing your topology tree, your goal is to create a service mapping to a pool of resources, with the intent that ITSI monitors the individual entities within this resource pool using entity thresholds. It's best to not create hundreds of services. Larger groupings of similar types of entities is sufficient.

Import additional services through CSV files and link them to the corresponding service templates included in this content pack. For more information about importing entities and services from a CSV file, see the following topics:

For example, the following CSV import yields a more comprehensive service topology view:


Last modified on 12 October, 2021
Release notes for the Content Pack for VMware Monitoring
About the Content Pack for Windows Dashboards and Reports

This documentation applies to the following versions of Splunk® Content Packs for ITSI and IT Essentials Work: current

Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters