Other deployment considerations
To deploy the Splunk App for NetApp Data ONTAP, deploy the app components on a network that has access to the storage assets (ONTAP servers) you want Splunk to query.
- On your indexer(s)/search head(s), check that you have Splunk version 6.3.0 or later installed and that your licensing volume can support the data volume that you are collecting. See Splunk App for NetApp Data ONTAP indexing data volumes.
- Know your administration credentials for Splunk (search head and indexers).
Validate your NetApp httpd protocol configuration requirements
Your NetApp® Data ONTAP® software must be installed and configured correctly before installing and configuring the Splunk App for NetApp Data ONTAP in your environment.capa When you have NetApp Data ONTAP installed, check that the HTTPD service is running on the storage controllers. This is required for the Splunk App for NetApp Data ONTAP to have API access to the NetApp filers to collect performance data.
If you have not configured your filers using the correct options, then the connection from the app will be rejected by the API. Set the following options on your NetApp filers:
options httpd.enable on options httpd.admin.enable on
You can use tools such as ZExplore Development Interface (ZEDI) to validate the configuration of the Splunk App for NetApp Data ONTAP. If you can collect data successfully using ZEDI, then your filer is configured correctly to collect data from the app.
For more information about installing and configuring NetApp Data ONTAP, see the NetApp online documentation.
Configure clock and timezone settings for your Splunk platform and your ONTAP servers
Ensure that the clock and timezone settings for your Splunk platform environment and your ONTAP servers agree so as to ensure accurate timestamping.
In your Splunk platform, time offsets can cause indexing issues with defined data types. This is specifically true in the Splunk App for NetApp Data ONTAP for performance searches that use report acceleration. If the timezone information is not set correctly, your Splunk platform may incorrectly apply a timestamp and potentially exclude events from indexing. A light forwarder (LF) or universal forwarder (UF) do not parse events to get a timestamp.
As a NetApp administrator, use NTP on your filers to check that the timezone settings on your ONTAP servers match the timezone information on your Splunk indexer(s).
Create a user account with the correct permissions on the NetApp filers
Before you install the Splunk App for NetApp Data ONTAP you must have the required access privileges to the storage assets from which you want to collect data.
The Splunk App for NetApp Data ONTAP relies on using the NetApp API to collect data from your NetApp devices. To access the NetApp API on each device (for data collection) you need access privileges. The Splunk App for NetApp Data ONTAP needs read-only access to the API. Note that providing the app with the appropriate permissions does does not present any risk to your infrastructure.
To collect data from all inventory objects, both in Cluster mode and 7-mode, create a local user account or Active Directory domain user with the correct permissions on the NetApp filers. To create a local user account you must have the the login* capability role. Without the login* capability, authentication with the filer will fail and you will be unable to retrieve any data.
A user is required for authentication and is assigned a role with the required capabilities assigned to it. You can manually create a user account by following the instructions in the NetApp documentation.
We recommend provisioning the user with the following capabilities used by the Splunk App for NetApp Data ONTAP to collect data using the NetApp API:
|Ontapi||7 Mode support in Splunk_TA_ontap||7 Mode Capability||Cluster Mode support in Splunk_TA_ontap||Corresponding Cluster command|
|api-aggr-get-iter||aggr-get-iter||x||storage aggregate show|
|api-aggr-options-list-info||x||aggr-options-list-info||x||storage aggregate show|
|api-cifs-options-get-iter||cifs-options-get-iter||x||vserver cifs options show|
|api-cluster-identity-get||cluster-identity-get||x||cluster identity show|
|api-ems-message-get-iter||ems-message-get-iter||x||event log show|
|api-export-policy-get-iter||export-policy-get-iter||x||vserver export-policy show|
|api-export-rule-get-iter||export-rule-get-iter||x||vserver export-policy rule show|
|api-perf-object-counter-list-info||x||perf-object-counter-list-info||x||statistics catalog counter show|
|api-perf-object-instance-list-info-iter||perf-object-instance-list-info-iter||x||statistics catalog instance show|
|api-perf-object-list-info||x||perf-object-list-info||x||statistics catalog object show|
|api-qtree-list-iter||qtree-list-iter||x||volume qtree show|
|api-quota-list-entries-iter||quota-list-entries-iter||x||volume quota policy rule show|
|api-quota-report-iter||quota-report-iter||x||volume quota report|
|api-quota-status-iter||quota-status-iter||x||volume quota show|
|api-snapshot-get-iter||snapshot-get-iter||x||volume snapshot show|
|api-storage-disk-get-iter||storage-disk-get-iter||x||storage disk show|
|api-system-api-list||x||system-api-list||x||security login role show-ontapi|
|api-system-get-node-info-iter||system-get-node-info-iter||x||system node show|
|api-system-get-vendor-info||x||system-get-vendor-info||x||system node autosupport show|
|api-system-node-get-iter||system-node-get-iter||x||system node show|
|api-volume-move-get-iter||volume-move-get-iter||x||volume move show|
To validate that the credentials are correct, use the ZExplore Development Interface (ZEDI) to connect to the filer. The Splunk App for NetApp Data ONTAP also validates the credentials (not all the capabilities) when they are initially entered into the app.
This topic discusses the app components required to support your environment needs.
- API data collection - We recommend a ratio of one data collection node to 15 to 50 filers at the recommended resources. See Data volume requirements in this manual.
- Syslog data collection - We recommend that you configure log collection on your NetApp filers and forward the log data using Syslog from your filers to a Splunk forwarder. Check that UDP port 514 is open on the Splunk forwarder to receive Syslog.
- Splunk configuration - At expected data volumes for the Splunk App for NetApp Data ONTAP, configure your Splunk indexers appropriately. To do this, see the Splunk Enterprise documentation for "Introduction to capacity planning for Splunk Enterprise".
For more information on performance requirements of the app and the data collection node, see the "Systems requirements" topic in this manual.
Firewall ports must be enabled for communication between Splunk and various components of your Splunk App for NetApp Data ONTAP environment.
splunkweb and splunkd
splunkweb and splunkd both communicate with your Web browser via REpresentational State Transfer (REST):
- splunkd runs a Web server on port 8089 with SSL/HTTPS turned on by default.
- splunkweb runs a Web server on port 8000 without SSL/HTTPS by default.
When you start Splunk it checks that the firewall ports 8089 and 8000 are enabled. If the default ports are already in use (or are otherwise not available), Splunk will offer to use the next available port. You can configure port settings for Splunk in the
Communication between the scheduler and the data collection node
The Splunk App for NetApp Data ONTAP uses the gateway, implemented as part of the Hydra scheduling framework, to allocate jobs to the data collection nodes. The scheduling node that runs the Hydra scheduler, typically on the search head, communicates with all data collection nodes over port 8008 (default setting).
In your environment, if port 8008 is used by another service, you can configure another port for communication between the data collection node and the gateway.
All data collection nodes do not have to communicate on the same port. You can configure the ports in the default stanza to implement the port change for all data collection nodes, or you can set the ports on a per stanza basis to configure the port for each data collection node individually.
To set the port for the Hydra gateway, edit the configuration settings for the port on the scheduling node (usually implemented on the search head) in
The following is an example of the default setting for the app.
[default] gateway_port = 8008
As with all Splunk deployments, it is important to have sufficient disk space to accommodate the volume of data processed by your indexers. The Splunk App for NetApp Data ONTAP indexes approximately 300MB to 1GB of data per filer, per day and supports a log volume of 100MB.
For more information on what to consider regarding your data storage and data volume requirements using Splunk, see Estimate your storage requirements in the Splunk Capacity Planning Manual.
You must have a Splunk Enterprise license and accept the End User License Agreement (EULA) presented for the Splunk App for NetApp Data ONTAP to work in your environment. Licensing requirements are driven by the volume of data your indexer processes.
Refer to the "Storage considerations" section above to determine your licensing volume. Contact your Splunk sales representative to purchase additional license volume or inquire about free trial licensing.
Refer to "How Splunk licensing works" in the Splunk Admin Manual for more information about Splunk licensing.
Backups and archiving
You can configure Splunk to back up both your indexed data and configuration data. You can configure Splunk to delete data based on either the size of the index or the age of data in the index. By default, Splunk deletes data if all of the data in a given archived index is 6 years old or more.
- For details on configuring backups in Splunk, refer to "Back up indexed data" and other topics in the Splunk Managing Indexers and Clusters manual.
- For details on configuring archive policy in Splunk, refer to "Set a retirement and archiving policy" in the Splunk Managing Indexers and Clusters manual.
Splunk Enterprise ships with a script located in $SPLUNK_HOME/etc/system/bin/ called external_lookup.py, which is a DNS lookup script that:
- if given a host, returns the IP address.
- if given an IP address, returns the host name.
The configuration for this script resides in $SPLUNK_HOME/etc/apps/splunk_app_netapp/default/transforms.conf.
[dnslookup] external_cmd = external_lookup.py clienthost clientip fields_list = clienthost,clientip
Netapp app is using this default external_lookup.py to resolve hostname in dashboard query.
What data the Splunk App for NetApp Data ONTAP collects
What a Splunk App for NetApp Data ONTAP deployment looks like
This documentation applies to the following versions of Splunk® App for NetApp Data ONTAP (Legacy): 2.1.91