Splunk® App for NetApp Data ONTAP (Legacy)

Deploy and Use the Splunk App for NetApp Data ONTAP

This documentation does not apply to the most recent version of Splunk® App for NetApp Data ONTAP (Legacy). For documentation on the most recent version, go to the latest release.

Install Splunk App for NetApp Data ONTAP

Download Splunk App for NetApp Data ONTAP

1. Download Splunk App for NetApp Data ONTAP, from Splunkbase.

2. Check that the download package file name is splunk-app-for-netapp-data-ontap_<number>.zip. It contains all of the supporting add-ons, technology add-ons, and the apps that are all part of the app.

Install Splunk App for NetApp Data ONTAP

Single instance deployment

A single-instance deployment of Splunk Enterprise contains indexers and search heads on a single host.

1. Move the splunk-app-for-netapp-data-ontap_<number>.zip file to $SPLUNK_HOME.

2. Unzip the app package.

unzip splunk-app-for-netapp-data-ontap_<number>.zip

3. Verify that all of the apps and sub directories exist in the $SPLUNK_HOME/etc/apps folder.

4. Restart your instance of Splunk Enterprise. See "Start and stop Spunk" in the Splunk Admin Manual.


Distributed deployment

For larger environments where data originates on many machines and where many users need to search the data, you can separate out the functions of indexing and searching. In this type of distributed search deployment, each indexer indexes data and performs searches across its own indexes. A Splunk Enterprise instance dedicated to search management, called the search head, coordinates searches across the set of indexers, consolidating the results and presenting them to the user. For more information about distributed search, see About distributed search in the Distributed search manual.

In a distributed search environment:

  1. Install splunk-app-for-netapp-data-ontap_<number>.zip on the search head.
    1. Get the file splunk-app-for-netapp-data-ontap_<number>.zip and put it in $SPLUNK_HOME.
  2. In $SPLUNK_HOME unzip the app package.
    unzip splunk-app-for-netapp-data-ontap_<number>.zip
  3. Verify that all of the apps and the sub directories were copied correctly and reside in $SPLUNK_HOME/etc/apps:
    SA-Hydra/…
    SA-Utils/…
    splunk_app_netapp/…
    Splunk_TA_ontap/…
  4. On each search peer, install the following app components:
    SA-Utils/…
    SA-Hydra/…
    Splunk_TA_ontap/…
  5. Restart Splunk in each of the locations where you installed the app. For both Windows and Unix instructions, see "Start and stop Spunk" in the Splunk Admin Manual.


Configure user roles

On the search head (or the combined indexer and search head) configure roles for the users of the app. This is standard Splunk user role configuration. There are two default user roles defined in the Splunk App for NetApp Data ONTAP:

  • The splunk_ontap_admin role: This role gives you permission to configure the Splunk App for NetApp Data ONTAP for data collection.
  • The splunk_ontap_user role: This role gives you permission to use the app. It does not give you permission to configure the app.

To assign roles to each user:

  1. On the search head, log in to Splunk Web and enter the IP address and port number of the OS hosting your search head:
    https://<ipaddress>:8000/
    Note that after deploying the app on your search head, use
    https
    not
    http
    as you are now establishing a secure connection.
  2. Select the Splunk App for NetApp Data ONTAP from the Apps menu. If this is your first time installing the app, then you are automatically redirected to the Setup page. Accept all of the default settings on the Setup screen, then click Save. For most installations the default settings work.
  3. In Settings, select Users and authentication: Access controls, then select Users.
  4. Give the admin user the splunk_ontap_admin role so that the admin can run scheduled searches. Add splunk_ontap_admin to the "admin" account.

Configure receiving on your Indexers

After the App has been installed, configure each of your Splunk indexers to listen for data on a (forwarding/receiving) port. Set up receiving on the indexer. By convention, receivers listen on port 9997, but you can specify any unused port. For more information see "Set up receiving" in the Splunk Forwarding data manual.

Create a data collection node

You must have at least one data collection node installed and running in your environment to collect ONTAP API data. You can build a data collection node and configure it specifically for your environment. Create and configure this data collection node on a physical machine or as a VM image to deploy into your environment.

Install a Splunk heavy forwarder or light forwarder, version 5.0.4 or later on the host that will be your data collection node. You can not use a Splunk Universal Forwarder for it because Python is required. This is a minimum Splunk requirement for the Splunk App for NetApp Data ONTAP. A data collection node requires that you have a Splunk supported version of CentOS or RedHat Enterprise Linux (RHEL) that is supported by Splunk version 5.0.4 or later. For search head cluster environments, data collection nodes must still be dedicated to a separate search head for scheduling. For search head cluster environments, data collection nodes must still be dedicated to a separate search head for scheduling.

Whether you are building a physical data collection node or a data collection node VM follow the steps below. To build a data collection node VM we recommend that you follow the guidelines set by your specific virtualization solution to create the virtual machine and deploy it in your environment.


To build a data collection node:

  1. Install a CentOS or RedHat Enterprise Linux version that is supported by Splunk version 5.0.4.
    1. For system compatibility information, see Splunk data collection node resource requirements in this manual.
  2. Install Splunk version 5.0.4 configured at a minimum as a light forwarder (Python is required). Note: you can not use a Splunk universal forwarder.
  3. Install the app components. Get the file splunk-app-for-netapp-data-ontap_<number>.zip and put it in $SPLUNK_HOME.
  4. Unzip this file. It automatically unzips into the $SPLUNK_HOME/etc/apps directory.
  5. On the data collection node you only need the following components: SA-Utils, SA-Hydra, and Splunk_TA_ontap in $SPLUNK_HOME/etc/apps. Please do not install splunk_app_netapp in a data collection node.
  6. Check that firewall ports are enabled. The data collection node communicates, by default, with splunkd on port 8089. It communicates with the scheduling node, by default on port 8008. These are the default ports. For more information on configuring firewall ports, see Network settings in this manual.
  7. Set up forwarding to the port on which the Splunk indexer(s) is configured to receive data. See Enable a receiver in the Forwarding Data manual.
  8. Change the default password using the CLI for this forwarder. The default password for Splunk's admin user is changeme. Be sure to change the value of the password to something other than changeme.
    ./splunk edit user admin -password 'newpassword' -role admin -auth admin:changeme
  9. Restart Splunk.
  10. After deploying the collection components, add the forwarder to your scheduler's configuration. To do this, see Collect data from your environment in this manual.

Turn on logging on the data collection node

To assist in troubleshooting data collection issues, we recommend that you turn on logging on the data collection node when you create the node. The data collected does count against your Splunk license.

On your data collection node:

  1. Create a local directory under SA-Hydra (SA-Hydra/local).
  2. Copy the outputs.conf file from SA-Hydra/default/outputs.conf to SA-Hydra/local/outputs.conf.
  3. Edit the local outputs.conf file to uncomment the following lines:
    [tcpout]
    forwardedindex.3.whitelist = _internal

Configure Operating System properties

You can configure some of the properties of your operating system to improve that stability of your data collection nodes in a production environment.

Set static IP addresses

While not required, we recommend that you set a static IP address for the data collection node. The data collection node's IP address can vary over time when using DHCP (dynamic addressing) causing unexpected results. Connecting to a specific collection node can be difficult (especially if DNS is down). You can connect to the data collection node to perform maintenance or to determine which collection node is sending data.

We recommend that you log in as the splunkadmin user to make changes to the data collection node.

Change the NTP server pool list

The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. Most *Nix systems give you the ability to set up or change time synchronization. You can change the NTP servers that your data collection node uses by editing the /etc/ntp.conf file.

The default values for the servers in /etc/ntp.conf are:

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org
server 1.centos.pool.ntp.org
server 2.centos.pool.ntp.org

To use different NTP servers, replace the default values in the file with your specific values. Restart ntpd for the changes to take effect.

sudo service ntpd restart

Disable NTP on the data collection node

If you do not have access to the internet ( for example, you operate behind a firewall that precludes access to the Internet) you can disable NTP on the data collection node.

Last modified on 14 November, 2016
Requirements for Installing with other apps   Configure data collection

This documentation applies to the following versions of Splunk® App for NetApp Data ONTAP (Legacy): 2.0.2, 2.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters