Install the Splunk OVA for VMware
Use the instructions below to install the Splunk OVA for VMware onto your Splunk platform deployment. The Splunk OVA for VMware cannot be installed using a GUI.
Data Collection Node resource requirements
DCNs communicate with the Distributed Collection Scheduler, which run on the Splunk scheduler, to retrieve performance, inventory, hierarchy, task, and event data from vCenter servers.
- Each Data Collection Node (DCN) needs at least one CPU core for every 10 hosts from which the DCN is collecting data.
- Splunk recommends that you estimate the number of CPUs needed for your worker processes with the expectation that a CPU in your deployment will eventually fail at some point. Splunk recommends that you provision at least one extra CPU in order to help promote capacity and availability in your deployment.
Each DCN polls information for up to 40 ESXi hosts and 1,000 virtual machines. With this sizing, a site pulling information from 200 hypervisors and 5,000 VMs needs to create at least 5 DCNs.
DCN virtual appliance sizing is as follows:
- 4 CPU cores with 2GHz reserved
- 6GB Memory with a reservation of 1GB
- 12 GB storage
In a Search Head Clustering (SHC) deployment, the DCN Scheduler must not be deployed on any individual Search Head in the SHC. The DCN Scheduler must be deployed on a dedicated search head.
To ensure reliable communication between systems, use static IP addresses and dedicated host names for each DCN. See Collect Data from vCenter Server systems using the VMware API.
Install the Splunk OVA for VMware in your virtual environment
- Open the vSphere client and log into vCenter Server.
- Invoke the OVA template wizard. Click File > Deploy OVF Template.
- In the Deploy OVF Template wizard click Deploy from a file or URL, then click Browse…
- Browse to the location of your OVA file,
splunk_data_collection_node_for_vmware_<version>-<build_number>.ova
, then click Next.- Note: You can not download the file directly from the URL. Splunk Apps requires that you be authenticated via a supported web browser before you begin your download.
- Review the OVF template details, then click Next
- In the Name and Location screen provide a new name for the node VM. (You can use the default name, if you want.)
- Select a data center or folder as the deployment destination for the node VM, then click Next.
- On the Host / Cluster screen, select the specific host or cluster where you would like to run the node VM, then click Next.
- In the Datastore screen, choose the datastore where you want the VM and its filesystem to reside. The datastore can be from 4GB to 10GB. Click Next.
- On the Disk Format screen, select either Thin or Thick Provisioning, then click Next. We recommend thick provisioning.
- On the Network Mapping screen, to specify the networks that you want the deployed template to use. Use the Destination Networks menu to map your data collection node
.ova
template to one of the networks in your inventory. - Validate your selections in the Ready to complete dialog, then select Next to begin deployment.
- Once deployed, click Close to complete the installation and exit the wizard.
- Resource your VM according to the data collection node resource requirements listed above.
- Locate the collection node VM in the vSphere Client tree view.
- Right-click on the collection node VM and choose Power > Power On from the menu to start the VM. When you power on the data collection node, Splunk starts automatically even though the VMware data collection mechanism is not configured. By default, the node VM boots and gets its network settings via DHCP. You can keep this default setting or you can set a static IP address. If you use DHCP, check the Summary tab in the vSphere client to get the IP address of the node VM.
- To ssh into the data collection node use the default username and password (
splunkadmin/changeme
). You automatically land in/home/splunkadmin
. - Your Splunk platform is installed in
/home/splunkadmin/opt
. - Set up forwarding to the port on which the Splunk indexer(s) is configured to receive data. See "Enable forwarding on a Splunk Enterprise instance" in the Forwarding Data manual.
- The default password for Splunk's admin user is
changeme
. This is true for all Splunk instances. We recommend that you change the password using the CLI for this forwarder.splunk edit user admin -password 'newpassword' -role admin -auth admin:changeme - Start your Splunk platform instance.
Now you can configure the DCNs and the Splunk settings for each DCN.
Create your own data collection node
You can build a data collection node and configure it specifically for your environment. Create and configure this data collection node on a physical machine or as a VM image to deploy into your environment using vCenter.
Build a data collection node
Whether you are building a physical data collection node or a data collection node VM follow the steps below. To build a data collection node VM we recommend that you follow the guidelines set by VMware to create the virtual machine and deploy it in your environment.
To build a data collection node:
- Install a CentOS or RedHat Enterprise Linux version that is compatible with Splunk Enterprise version 6.0.1 or later.
- Install Splunk Enterprise version 6.2.0 or later, and configure it as a heavy forwarder. Note: You cannot use a universal forwarder. It lacks necessary python libraries.
- Download the
Splunk_add-on_for_vmware-<version>-<build_number>.tgz
from Splunkbase. - Copy the file
Splunk_add-on_for_vmware-<version>-<build_number>.tgz
from the download package to$SPLUNK_HOME/etc/apps
. - Extract the file
splunk_add_on_for_vmware-<version>-<build_number>.tgz
from$SPLUNK_HOME/etc/apps
. - Verify that the data collection components SA-Utils, SA-Hydra, Splunk_TA_vmware, and Splunk_TA_esxilogs exist in
$SPLUNK_HOME/etc/apps
. - Verify that the firewall ports are correct. The DCN communicates with splunkd on port 8089. The DCN communicates with the scheduler node on port 8008.
- After deploying the collection components, add the forwarder to your scheduler's configuration. To do this, see [[Documentation:OVAVMW:OVADCNVMW:ConfiguretheSplunkOVAforVMWare:latest|Configure the Splunk OVA for VMWare] in this manual.
- Change the Splunk administrator account password or set
allowRemoteLogin = always
inserver.conf
. The default credentials for the Splunk user areadmin/changeme
. To access splunkd on this forwarder from the scheduler, change the password. Use the following command for this forwarder../splunk edit user admin -password 'newpassword' -role admin -auth admin:changeme
Note: Set up forwarding to the same port that the Splunk indexer uses.
Learn More
- See the "deploy a heavy forwarder" section of the Splunk Enterprise Forwarding Data manual to learn how to deploy a heavy forwarder.
- See "Use forwarders to get data in" in the Splunk Enterprise Forwarding Data manual to learn more about forwarder configuration.
About the Splunk OVA for VMware | Configure the Splunk OVA for VMWare |
This documentation applies to the following versions of Splunk® OVA for VMware and NetApp: 3.3.1
Feedback submitted, thanks!