Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Data collection in one engine.conf file

A single engine.conf for a small environment

This is a single engine.conf file example. It assumes the environment has 1 VC managing 3 ESX/i hosts and 2 unmanaged ESX/i hosts. Given that the number of ESX/i hosts is small, we can collect data using a single FA VM. Due to the small environment size, we can use the "simple" inputs.conf example that leverages the default engine instance.

Environment specification

  • 1 VC, called VC1.
  • 3 ESX/i hosts managed by VC 1.
  • 2 unmanaged ESX/i hosts.

Types of data collected

  • Hierarchy.
  • Inventory.
  • Task.
  • Event.
  • Logs.
  • Performance.

Recommended solution

  • Use 1 FA VM.
    • FA VM 1: Called splunkfa1.
  • Use a single engine instance, the default engine instance, that collects all performance, log, and tasks and events data for VC1.


  • Use a default stanza to assign certain settings once.
  • Set the fa name to the value you used for the FA VM's OS hostname (during FA VM configuration steps).
  • This example assumes that the FA VM's OS hostname was set to "splunkfa1".
  • In a small environment you do not need to reset expiration timers.
[default]
fa = splunkfa1
  • Use a single stanza to get all 5 types of data from VC.
  • It is important to assign the host setting for VC machines to match the "VC instance name".
  • This example assumes that the VC instance name for VC1 is “VMWARE-VC1”.
[vc1]
url = https://vc1.company.com/sdk/webService
host = VMWARE-VC1
username = <vc_splunk_username>
password = <vc_splunkuser_password>
action = HierarchyDiscovery, InventoryDiscovery, PerfDiscovery, TaskDiscovery, EventDiscovery
perfManagedEntityWhitelist = ClusterComputeResource
interval = 1
  • Use a single stanza to get all 3 types of data from each ESX/i host.
  • We already have a stanza for this ESX/i host's managing VC in this file, so there is no need to add a blank VC stanza.
  • As the first 3 ESX/i hosts are managed, you don't need to assign the host setting.
[host1inVC1]
url = https://host1_in_vc1.company.com/sdk/webService
username = <esx_splunk_username>
password = <esx_splunk_password>
action = PerfDiscovery, LogDiscovery
interval = 1

[host2inVC1]
url = https://host2_in_vc1.company.com/sdk/webService
username = <esx_splunk_username>
password = <esx_splunk_password>
action = PerfDiscovery, LogDiscovery
interval = 1

[host3inVC1]
url = https://host3_in_vc1.company.com/sdk/webService
username = <esx_splunk_username>
password = <esx_splunk_password>
action = PerfDiscovery, LogDiscovery
interval = 1
  • We know that host 4 is an unmanaged ESX/i host so you must assign the host setting explicitly. Unmanaged ESX/i hosts never need a blank VC stanza.
  • Give the host setting the same value as the ESX/i host's "fully qualified hostname".
  • This example assumes that the ESX/i host's fully qualified hostname is host4unmanaged.company.com.
[host4unmanaged]
url = https://host4unmanaged.company.com/sdk/webService
host = host4unmanaged.company.com
username = <esx_splunk_username>
password = <esx_splunk_password>
action = HierarchyDiscovery, InventoryDiscovery, PerfDiscovery, LogDiscovery
interval = 1
  • We know that host 5 is an unmanaged ESX/i host.
  • This example assumes that the ESX/i host's fully qualified hostname is host5unmanaged.company.com
[host5unmanaged]
url = https://192.168.1.120/sdk/webService
host = host5unmanaged.company.com
username = <esx_splunk_username>
password = <esx_splunk_password>
action = HierarchyDiscovery, InventoryDiscovery, PerfDiscovery, LogDiscovery
interval = 1
Last modified on 11 January, 2013
A simple engine.conf   Data collection split between two engine.conf files

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters