Splunk® App for NetApp Data ONTAP (Legacy)

Deploy and Use the Splunk App for NetApp Data ONTAP

This documentation does not apply to the most recent version of Splunk® App for NetApp Data ONTAP (Legacy). For documentation on the most recent version, go to the latest release.

Install the Splunk App for NetApp Data ONTAP

Install Splunk

Install Splunk version 5.0.4 or later on the hosts in your environment that will be your indexers and search head. Download the Splunk Enterprise version required for your platform and refer to the "installation instructions" in the Splunk Enterprise documentation.

Install a Splunk heavy forwarder or light forwarder, version 5.0.4 or later on the host that will be your data collection node. This is a minimum Splunk requirement for the Splunk App for NetApp Data ONTAP. (Python is required.) A data collection node requires that you have a Splunk supported version of CentOS or RedHat Enterprise Linux (RHEL) that is supported by Splunk version 5.0.4 or later.

Download the Splunk App for NetApp Data ONTAP

  1. Download the Splunk App for NetApp Data ONTAP, from Splunk Apps to a location in your environment.
    1. Click Download and check the license agreement checkbox. The app is automatically downloaded. 
    2. Check that the download package file name is splunk-app-for-netapp-data-ontap_<number>.zip. It contains all of the supporting add-ons, technology add-ons, and the apps that are all part of the solution.

Install the Splunk App for NetApp Data ONTAP

To install the Splunk App for NetApp Data ONTAP on each Splunk indexer and search head in your environment, use the same user account that you used to install Splunk.

Reference the Component distribution table to see what app components must be installed in your environment.

Single machine Splunk deployments

In test environments it is common to see single-machine Splunk deployments, where the indexing and search capability resides on a single host. For a deployment like this, on the host that is your indexer and search head:

  1. Get the file splunk-app-for-netapp-data-ontap_<number>.zip and put it in $SPLUNK_HOME.
  2. In $SPLUNK_HOME unzip the app package.
    unzip splunk-app-for-netapp-data-ontap_<number>.zip
  3. Verify that all of the apps and sub directories were copied correctly under $SPLUNK_HOME/etc/apps.
  4. Restart Splunk. For both Windows and Unix instructions, see "Start and stop Spunk" in the Splunk Admin Manual.
  5. Now that the app is installed, "Configure user roles".

Distributed search deployments

For larger environments where data originates on many machines and where many users need to search the data, you can separate out the functions of indexing and searching. In this type of distributed search deployment, each indexer indexes data and performs searches across its own indexes. A Splunk Enterprise instance dedicated to search management, called the search head, coordinates searches across the set of indexers, consolidating the results and presenting them to the user. For more information about distributed search, see About distributed search in the Distributed search manual.

In a distributed search environment:

  1. Install splunk-app-for-netapp-data-ontap_<number>.zip on the search head.
    1. Get the file splunk-app-for-netapp-data-ontap_<number>.zip and put it in $SPLUNK_HOME.
  2. In $SPLUNK_HOME unzip the app package.
    unzip splunk-app-for-netapp-data-ontap_<number>.zip
  3. Verify that all of the apps and the sub directories were copied correctly and reside in $SPLUNK_HOME/etc/apps:
    SA-Hydra/…
    SA-Utils/…
    splunk_app_netapp/…
    Splunk_TA_ontap/…
  4. On each search peer, install the following app components:
    SA-Utils/…
    SA-Hydra/…
    Splunk_TA_ontap/…
  5. Restart Splunk in each of the locations where you installed the app. For both Windows and Unix instructions, see "Start and stop Spunk" in the Splunk Admin Manual.

Configure user roles

On the search head (or the combined indexer and search head) configure roles for the users of the app. This is standard Splunk user role configuration. There are two default user roles defined in the Splunk App for NetApp Data ONTAP:

  • The splunk_ontap_admin role: This role gives you permission to configure the Splunk App for NetApp Data ONTAP for data collection.
  • The splunk_ontap_user role: This role gives you permission to use the app. It does not give you permission to configure the app.

To assign roles to each user:

  1. On the search head, log in to Splunk Web and enter the IP address and port number of the OS hosting your search head: 
    https://<ipaddress>:8000/
    Note that after deploying the app on your search head, use 
    https
    not 
    http
    as you are now establishing a secure connection.
  2. Select the Splunk App for NetApp Data ONTAP from the Apps menu. If this is your first time installing the app, then you are automatically redirected to the Setup page. Accept all of the default settings on the Setup screen, then click Save. For most installations the default settings work.
  3. In Settings, select Users and authentication: Access controls, then select Users.
  4. Give the admin user the splunk_ontap_admin role so that the admin can run scheduled searches. Add splunk_ontap_admin to the "admin" account.

Configure receiving on your Indexers

After the App has been installed, configure each of your Splunk indexers to listen for data on a (forwarding/receiving) port. Set up receiving on the indexer. By convention, receivers listen on port 9997, but you can specify any unused port. For more information see "Set up receiving" in the Splunk Forwarding data manual.

Create a data collection node

You must have at least one data collection node installed and running in your environment to collect ONTAP API data. You can build a data collection node and configure it specifically for your environment. Create and configure this data collection node on a physical machine or as a VM image to deploy into your environment.

Install a Splunk heavy forwarder or light forwarder, version 5.0.4 or later on the host that will be your data collection node. You can not use a Splunk Universal Forwarder for it because Python is required. This is a minimum Splunk requirement for the Splunk App for NetApp Data ONTAP. A data collection node requires that you have a Splunk supported version of CentOS or RedHat Enterprise Linux (RHEL) that is supported by Splunk version 5.0.4 or later.

Whether you are building a physical data collection node or a data collection node VM follow the steps below. To build a data collection node VM we recommend that you follow the guidelines set by your specific virtualization solution to create the virtual machine and deploy it in your environment.

Note: If you install the Splunk App for VMware version 3.0.2 or above onto the same Splunk instance where the Splunk App for NetApp Data ONTAP 2.0.1 installed, get the latest SA-Hydra and SA-Utils version from the Splunk App for VMware 3.0.2 or above and overwrite the existing versions of SA-Hydra and SA-Utils on the NetApp ONTAP data collection node. The data collection node is not automatically updated when you install the latest version of the Splunk App for VMware.

To build a data collection node:

  1. Install a CentOS or RedHat Enterprise Linux version that is supported by Splunk version 5.0.4.
    1. For system compatibility information, see Splunk data collection node resource requirements in this manual.
  2. Install Splunk version 5.0.4 configured at a minimum as a light forwarder (Python is required). Note: you can not use a Splunk universal forwarder.
  3. Install the app components. Get the file splunk-app-for-netapp-data-ontap_<number>.zip and put it in $SPLUNK_HOME.
  4. Unzip this file. It automatically unzips into the $SPLUNK_HOME/etc/apps directory.
  5. On the data collection node you only need the following components: SA-Utils, SA-Hydra, and Splunk_TA_ontap in $SPLUNK_HOME/etc/apps. Please do not install splunk_app_netapp in a data collection node.
  6. Check that firewall ports are enabled. The data collection node communicates, by default, with splunkd on port 8089. It communicates with the scheduling node, by default on port 8008. These are the default ports. For more information on configuring firewall ports, see Network settings in this manual.
  7. Set up forwarding to the port on which the Splunk indexer(s) is configured to receive data. See Enable a receiver in the Forwarding Data manual.
  8. Change the default password using the CLI for this forwarder. (The default password for Splunk's admin user is changeme.)
    ./splunk edit user admin -password 'newpassword' -role admin -auth admin:changeme
  9. Restart Splunk.
  10. After deploying the collection components, add the forwarder to your scheduler's configuration. To do this, see Collect data from your environment in this manual.

Turn on logging on the data collection node

To assist in troubleshooting data collection issues, we recommend that you turn on logging on the data collection node when you create the node. The data collected does count against your Splunk license.

On your data collection node:

  1. Create a local directory under SA-Hydra (SA-Hydra/local).
  2. Copy the outputs.conf file from SA-Hydra/default/outputs.conf to SA-Hydra/local/outputs.conf.
  3. Edit the local outputs.conf file to uncomment the following lines:
    [tcpout]
    forwardedindex.3.whitelist = _internal

Configure Operating System properties

You can configure some of the properties of your operating system to improve that stability of your data collection nodes in a production environment.

Set static IP addresses

While not required, we recommend that you set a static IP address for the data collection node. The data collection node's IP address can vary over time when using DHCP (dynamic addressing) causing unexpected results. Connecting to a specific collection node can be difficult (especially if DNS is down). You can connect to the data collection node to perform maintenance or to determine which collection node is sending data.

We recommend that you log in as the splunkadmin user to make changes to the data collection node.

Change the NTP server pool list

The Network Time Protocol (NTP) is used to synchronize a computer's time with another reference time source. Most *Nix systems give you the ability to set up or change time synchronization. You can change the NTP servers that your data collection node uses by editing the /etc/ntp.conf file.

The default values for the servers in /etc/ntp.conf are: 

# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org
server 1.centos.pool.ntp.org
server 2.centos.pool.ntp.org

To use different NTP servers, replace the default values in the file with your specific values. Restart ntpd for the changes to take effect. 

sudo service ntpd restart

Disable NTP on the data collection node

If you do not have access to the internet ( for example, you operate behind a firewall that precludes access to the Internet) you can disable NTP on the data collection node.

Last modified on 14 November, 2016
What a Splunk App for NetApp Data ONTAP deployment looks like   Configure data collection

This documentation applies to the following versions of Splunk® App for NetApp Data ONTAP (Legacy): 2.0, 2.0.1

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters