Splunk® App for Infrastructure (Legacy)

Install and Upgrade Splunk App for Infrastructure

This documentation does not apply to the most recent version of Splunk® App for Infrastructure (Legacy). For documentation on the most recent version, go to the latest release.

VMware data collection planning and requirements

Except as modified by statements on this page, all Splunk Enterprise system requirements apply to Splunk App for Infrastructure (SAI) deployments. For more information, see System requirements for use of Splunk Enterprise on-premises.

To install everything, see Install VMware data collection add-ons and dependencies. The SAI package doesn't contain any of the VMware data collection components. The Splunk IT Service Intelligence (ITSI) package contains all the VMware data collection components. The ITSI package contains the VMware data collection components because VMware data collection and monitoring in SAI requires an ITSI license.

If you're collecting VMware vCenter Server data and migrate Python versions, you have to update your Data Collection Node configuration. For more information, see Update a Data Collection Node after migrating Python versions.

License requirements

To configure VMware integrations, you need an ITSI license. Include an ITSI license on every Data Collection Scheduler (DCS) you use to integrate a VMware vCenter Server or Data Collection Node (DCN) in the Splunk App for Infrastructure (SAI) and every search head you use to monitor entities. For more information about ITSI licenses, see ITSI license requirements in the Install and Upgrade Splunk IT Service Intelligence guide.

Version compatibility

Splunk Enterprise VMware vSphere VMware vCenter Server VMware ESXi
7.2.x 6.0, 6.5, 6.7 6.0, 6.5, 6.7 6.0, 6.5, 6.7
7.3.x 6.0, 6.5, 6.7 6.0, 6.5, 6.7 6.0, 6.5, 6.7
8.0.x 6.0, 6.5, 6.7 6.0, 6.5, 6.7 6.0, 6.5, 6.7

Where to install VMware data collection components

This table provides the required install location for each VMware data collection component. You can forward data from a DCN either directly to an indexer or to an intermediary heavy forwarder. If you're running a single-instance deployment, the search head and indexer are on the same instance.

All of the VMware components are packaged in the vmware_ta_itsi parent directory of the Splunk IT Service Intelligence (ITSI) package you download from Splunkbase. You'll have to extract them from the directory and install them in the proper locations. For information about installing the components, see Install VMware data collection add-ons and dependencies.

Component Data Collection Scheduler (DCS) Data Collection Node (DCN) Indexer Notes
Splunk App for Infrastructure X Provides the UI for integrating VMware vCenter Servers and managing DCNs.
Splunk Add-on for Infrastructure X Handles props and transforms needed for indexed extractions. Also includes index creation for SAI.
Splunk_TA_vmware X X* Runs a Python-based API data collection engine and performs field extractions for VMware data.


*If you use the Splunk VMware OVA for ITSI to deploy a DCN, the DCN already has this component.

SA-Hydra X X* Schedules data collection jobs on a scheduler, and runs worker processes on a DCN.


*If you use the Splunk VMware OVA for ITSI to deploy a DCN, the DCN already has this component.

SA-VMWIndex X Creates indexes that store VMware data.
Splunk_TA_esxilogs X* X Handles log data collection from ESXi hosts.


*If you send syslog data to the DCN so the DCN forwards syslog data to the indexer tier.

Splunk_TA_vcenter X* X Handles vCenter data.


*If you send syslog data to the DCN so the DCN forwards syslog data to the indexer tier.

VMware indexes

VMWIndex creates these indexes.

Index Description
vmware-perf-metrics Stores metrics data from a vCenter Server.
vmware-inv Stores inventory data from a vCenter Server.
vmware-taskevent Stores task and event data from a vCenter Server.
vmware-vclog Stores vCenter Server log data.
vmware-esxilog Stores ESXi host log data.

Network port requirements

These are the ports you need to open to configure VMware data collection. The table includes the default Splunk ports. If you changed the Splunk ports, use those ports instead.

Sender Receiver Port Description
Data Collection Node Splunk indexer 9997 The Data Collection Node forwards data it collected from the vCenter Server using the API.
Data Collection Node vCenter Server 443 The Data Collection Node communicates with the vCenter Server API to execute data collection tasks it receives from the Data Collection Scheduler.
Data Collection Scheduler vCenter Server 443 The Data Collection Scheduler connects to the vCenter Server to confirm that the vCenter Server credentials are valid. It also uses this port to discover the number of managed ESXi hosts in the vCenter Server.
Data Collection Scheduler Data Collection Node 8008 The Data Collection Scheduler allocates data collection jobs to the Data Collection Node.
VMware add-on in the ITSI package Data Collection Node 8089 The add-on connects to the Data Collection Node on the Splunk management port. The default Splunk management port is listed.

Data Collection Node requirements and limits

Each Data Collection Node (DCN) runs worker processes to collect VMware data from vCenter Servers. You can run N - 1 worker processes, where N is the number of the DCN's available CPU cores, up to 30 worker processes. The DCN requires physical CPU cores, and can't benefit from simultaneous multithreading (SMT). Each worker process can manage up to 250 virtual machines and 10 ESXi hosts.

If you deploy a DCN manually, the operating system you use has to be CentOS 6 or 7.

With Splunk_TA_vmware version 1.1.0, you can use an SSL certificate with an encrypted private key for Splunk Enterprise 7.3.3, 7.3.4, and 8.0.1.

These are the Splunk platform and operating system requirements to run a DCN if you don't use the Splunk VMware OVA for ITSI:

Splunk Enterprise version Operating system
7.2.x CentOS 6, 7
7.3.x CentOS 6, 7
8.0.x CentOS 6, 7

These are the minimum DCN hardware requirements:

CPU RAM Disk
8-core CPU with a 2 GHz reservation 12 GB with a 1 GB reservation 12 GB storage capacity

These are the maximum ESXi hosts and virtual machines a single DCN can manage with the minimum DCN requirements:

ESXi host Virtual machine
70 1,750

Data Collection Scheduler requirements

A DCS schedules jobs and manages DCNs that collect data from vCenter Servers. Deploy a Data Collection Scheduler (DCS) on a search head in a standalone search head environment. If you're deploying VMware data collection in a distributed search head environment, deploy a DCS on a dedicated Splunk Enterprise instance. You don't have to configure forwarding or receiving on the DCS. To deploy a DCS, see Deploy a Data Collection Scheduler.

Depending on the your VMware environment, you may want to deploy more than one DCS. For more information, see Deployment considerations.

These are the requirements to run a Data Collection Scheduler (DCS):

Splunk Enterprise version Operating system
7.2.x CentOS 6, 7
7.3.x CentOS 6, 7
8.0.x CentOS 6, 7

User account permissions

When you integrate a VMware vCenter Server on a DCS, you have to provide credentials for a user account associated with the vCenter Server on the DCS. The DCS uses the user account credentials to detect ESXi servers in the vCenter Server, and to poll metrics, task, event, and inventory data.

To collect vCenter performance metrics, the user account you provide on the DCS needs to have these permissions:

  • System.Anonymous
  • System.Read
  • System.View

If you provide a user-defined role, it contains the System.Anonymous, System.Read, and System.View permissions even if you don't associate them with the role manually.

The following permissions are required to update the configuration and use Syslog Service on Esxi hosts:

  • Global.Diagnostics
  • Global.Licenses
  • Global.Settings
  • Host.Configuration.Change SNMP settings
  • Host.Configuration.Hyperthreading
  • Host.Configuration.Memory configuration
  • Host.Configuration.Network configuration
  • Host.Configuration.Power
  • Host.Configuration.Security profile and firewall
  • Host.Configuration.Storage partition configuration
  • Sessions.View and stop sessions

Daily data volumes

These are rough estimates. Your daily volume may be more or less than the following volumes for each data type.

Data type Data volume
vCenter Server logs 15 MB per host per day.
ESXi logs 135-235 MB per host per day.
ESXi Host API 17 MB per host per day.
VM API 18 MB per VM per day.
Last modified on 25 August, 2020
Upgrade to a new version of Splunk App for Infrastructure that's monitoring Windows systems   Install VMware data collection add-ons and dependencies

This documentation applies to the following versions of Splunk® App for Infrastructure (Legacy): 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.1.0, 2.1.1 Cloud only

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters