Other deployment considerations
To deploy the Splunk App for NetApp Data ONTAP, deploy the app components on a network that has access to the storage assets (ONTAP servers) you want Splunk to query.
- On your indexer(s)/search head(s), check that you have Splunk version 5.0.4 or later installed and that your licensing volume can support the data volume that you are collecting. See Splunk App for NetApp Data ONTAP indexing data volumes.
- Know your administration credentials for Splunk (search head and indexers).
Validate your NetApp httpd protocol configuration requirements
Your NetApp® Data ONTAP® software must be installed and configured correctly before installing and configuring the Splunk App for NetApp Data ONTAP in your environment.capa When you have NetApp Data ONTAP installed, check that the HTTPD service is running on the storage controllers. This is required for the Splunk App for NetApp Data ONTAP to have API access to the NetApp filers to collect performance data.
If you have not configured your filers using the correct options, then the connection from the app will be rejected by the API. Set the following options on your NetApp filers:
options httpd.enable on options httpd.admin.enable on
You can use tools such as ZExplore Development Interface (ZEDI) to validate the configuration of the Splunk App for NetApp Data ONTAP. If you can collect data successfully using ZEDI, then your filer is configured correctly to collect data from the app.
For more information about installing and configuring NetApp Data ONTAP, see the NetApp online documentation.
Configure clock and timezone settings for Splunk and your ONTAP servers
Clock and timezone settings for your Splunk environment and your ONTAP servers must agree for data to be timestamped correctly in Splunk, and in some cases for the data to be indexed.
In Splunk, time offsets can cause indexing issues with defined data types. This is specifically true in the Splunk App for NetApp Data ONTAP for performance searches that use report acceleration. The searches for tsidx performance data are run with a default earliest time set to -2h. If the clock on a filer does not report the correct time, and is off by more that 2 hours, then the data is not indexed in Splunk.
As a NetApp administrator, use NTP on your filers and check that the timezone settings on your ONTAP servers are set to match the timezone information on your Splunk indexer(s). If the timezone information is not set correctly, events coming into Splunk can be marked with an incorrect time stamp and can be excluded from being indexed. This can result in data loss and lead to inaccuracy of your results. A light forwarder (LF) or universal forwarder (UF) do not parse events to get a timestamp. This is done by the indexers.
If the timestamp is of a different format, then to parse the data in the correct format in Splunk, add timezone information to the props.conf
file on all of the indexers receiving data from the NetApp environment.
Note: On your Linux or Unix systems, the props.conf
file is located in the following directory on your indexer(s): $SPLUNK_HOME/etc/apps/Splunk_TA_ontap/default/props.conf
On all indexers:
- Create a
$SPLUNK_HOME/etc/apps/Splunk_TA_ontap/local/props.conf
file and copy the appropriate stanza(s) from/Splunk_TA_ontap/default/props.conf
to it. - Edit the
TIME_FORMAT
and theTZ
fields to match the timestamp format and the time zone being used by the filers.TZ = UTC
MAX_TIMESTAMP_LOOKAHEAD = 1
TIME_FORMAT = %b %d %H:%M:%S
- After making the change to the
props.conf
file, restart your Splunk indexers for the change to take effect.
Read "Edit timestamp properties in props.conf" in the Splunk Enterprise Getting Data in manual for more information.
Create a user account with the correct permissions on the NetApp filers
Before you install the Splunk App for NetApp Data ONTAP you must have the required access privileges to the storage assets from which you want to collect data.
The Splunk App for NetApp Data ONTAP relies on using the NetApp API to collect data from your NetApp devices. To access the NetApp API on each device (for data collection) you need access privileges. The Splunk App for NetApp Data ONTAP needs read-only access to the API. Note that providing the app with the appropriate permissions does does not present any risk to your infrastructure.
To collect data from all inventory objects, both in Cluster mode and 7-mode, create a local user account or Active Directory domain user with the correct permissions on the NetApp filers. To create a local user account you must have the the login* capability role. Without the login* capability, authentication with the filer will fail and you will be unable to retrieve any data.
A user is required for authentication and is assigned a role with the required capabilities assigned to it. You can manually create a user account by following the instructions in the NetApp documentation.
We recommend provisioning the user with the following capabilities used by the Splunk App for NetApp Data ONTAP to collect data using the NetApp API:
Capability | 7-mode | Cluster mode |
---|---|---|
login* | x | x |
login-http-admin* | x | |
api-aggr-get* | x | x |
api-aggr-list* | x | |
api-aggr-mediascrub-list* | x | |
api-aggr-options-list* | x | x |
api-aggr-scrub-list* | x | |
api-aggr-space-list* | x | |
api-cifs-options-get* | x | |
api-cluster-identity-get* | x | |
api-cluster-node-get* | x | |
api-disk-list* | x | |
api-ems-message-get* | x | |
api-export-policy-get* | x | |
api-export-rule-get* | x | |
api-lun-get* | x | |
api-lun-list-info | x | |
api-nfs-exportfs-list* | x | |
api-options-get* | x | |
api-options-list* | x | |
api-perf-object-counter-list* | x | x |
api-perf-object-get-instances* | x | x |
api-perf-object-instance-list* | x | x |
api-perf-object-list* | x | x |
api-qtree-list* | x | x |
api-quota-list* | x | x |
api-quota-report-iter* | x | x |
api-quota-status* | x | x |
api-snapshot-get* | x | |
api-snapshot-list* | x | |
api-storage-disk-get* | x | |
api-system-api* | x | x |
api-system-get* | x | x |
api-system-node-get* | x | |
api-vfiler-get-status | x | |
api-vfiler-list* | x | |
api-volume-footprint-get* | x | |
api-volume-get* | x | |
api-volume-list* | x | |
api-volume-mediascrub-list* | x | |
api-volume-move-get* | x | |
api-volume-options-list* | x | |
api-volume-scrub-list* | x | |
api-volume-space-get* | x | |
api-volume-storage-service-get* | x | |
api-vserver-get* | x |
To validate that the credentials are correct, use the ZExplore Development Interface (ZEDI) to connect to the filer. The Splunk App for NetApp Data ONTAP also validates the credentials (not all the capabilities) when they are initially entered into the app.
App Configuration
This topic discusses the app components required to support your environment needs.
- API data collection - We recommend a ratio of one data collection node to 15 to 50 filers at the recommended resources. See "Data volume requirements" in this manual.
- Syslog data collection - We recommend that you configure log collection on your NetApp filers and forward the log data using Syslog from your filers to a Splunk forwarder. Check that UDP port 514 is open on the Splunk forwarder to receive Syslog.
- Splunk configuration - At expected data volumes for the Splunk App for NetApp Data ONTAP, configure your Splunk indexers appropriately. To do this, see the Splunk Enterprise documentation for "Introduction to capacity planning for Splunk Enterprise".
For more information on performance requirements of the app and the data collection node, see the "Systems requirements" topic in this manual.
Network settings
Firewall ports must be enabled for communication between Splunk and various components of your Splunk App for NetApp Data ONTAP environment.
splunkweb and splunkd
splunkweb and splunkd both communicate with your Web browser via REpresentational State Transfer (REST):
- splunkd runs a Web server on port 8089 with SSL/HTTPS turned on by default.
- splunkweb runs a Web server on port 8000 without SSL/HTTPS by default.
When you start Splunk it checks that the firewall ports 8089 and 8000 are enabled. If the default ports are already in use (or are otherwise not available), Splunk will offer to use the next available port. You can configure port settings for Splunk in the server.conf
file.
Communication between the scheduler and the data collection node
The Splunk App for NetApp Data ONTAP uses the gateway, implemented as part of the Hydra scheduling framework, to allocate jobs to the data collection nodes. The scheduling node that runs the Hydra scheduler, typically on the search head, communicates with all data collection nodes over port 8008 (default setting).
In your environment, if port 8008 is used by another service, you can configure another port for communication between the data collection node and the gateway.
All data collection nodes do not have to communicate on the same port. You can configure the ports in the default stanza to implement the port change for all data collection nodes, or you can set the ports on a per stanza basis to configure the port for each data collection node individually.
To set the port for the Hydra gateway, edit the configuration settings for the port on the scheduling node (usually implemented on the search head) in $SPLUNK_HOME/etc/apps/Splunk_TA_ontap/local/hydra_node.conf
.
The following is an example of the default setting for the app.
[default] gateway_port = 8008
Storage
As with all Splunk deployments, it is important to have sufficient disk space to accommodate the volume of data processed by your indexers. The Splunk App for NetApp Data ONTAP indexes approximately 300MB to 1GB of data per filer, per day and supports a log volume of 100MB.
For more information on what to consider regarding your data storage and data volume requirements using Splunk, see Estimate your storage requirements in the Splunk Capacity Planning Manual.
Licensing
You must have a Splunk Enterprise license and accept the End User License Agreement (EULA) presented for the Splunk App for NetApp Data ONTAP to work in your environment. Licensing requirements are driven by the volume of data your indexer processes.
Refer to the "Storage considerations" section above to determine your licensing volume. Contact your Splunk sales representative to purchase additional license volume or inquire about free trial licensing.
Refer to "How Splunk licensing works" in the Splunk Admin Manual for more information about Splunk licensing.
Backups and archiving
You can configure Splunk to back up both your indexed data and configuration data. You can configure Splunk to delete data based on either the size of the index or the age of data in the index. By default, Splunk deletes data if all of the data in a given archived index is 6 years old or more.
- For details on configuring backups in Splunk, refer to "Back up indexed data" and other topics in the Splunk Managing Indexers and Clusters manual.
- For details on configuring archive policy in Splunk, refer to "Set a retirement and archiving policy" in the Splunk Managing Indexers and Clusters manual.
What data the Splunk App for NetApp Data ONTAP collects | What a Splunk App for NetApp Data ONTAP deployment looks like |
This documentation applies to the following versions of Splunk® App for NetApp Data ONTAP (Legacy): 2.0, 2.0.1, 2.0.2, 2.0.3
Feedback submitted, thanks!