Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

engine.conf.spec file

Taken from solutions/TA-vmware/1.0/package/default/engine.conf.spec

# ${copyright} 
#
# This file contains possible attribute / value pairs for configuring the behavior of a given
# engine instance.  This file is used in the Splunk App for VMware Forwarder Appliance.
#
# To learn more about configuration files (including precedence) please see the documentation 
# located at http://www.splunk.com/base/Documentation/latest/Admin/Aboutconfigurationfiles

#******************************************************************************
# This describes the format for the special [default] engine.conf stanza
#******************************************************************************

[default]
* This stanza is optional and defines default settings that are either global in nature or
  values that should be applied to all other stanzas in the given engine.conf file.
* Note:  There should be at most 1 [default] stanza in any given engine.conf file.
* Be careful when specifying settings in this stanza - these will affect all other stanzas
  in this file, which can lead to unintended side-effects.


#******************************************************************************
# The possible attribute / value pairs for the [default] stanza and their
# default values are as follows:
#******************************************************************************

fa = <Unique name of this FA instance>
* Optional.  If left unspecified, the default value is the FA's IP address.
* This is the name given to a specific FA; it should be set to a unique value for each FA
  across the entire solution.
* This setting is intended to only be used in the [default] stanza, not in regular stanzas.
* This setting determine the value of the "fa" field that is set in all events generated by
  the engine instances running in the FA.
* Since this is really just a string label, it can be any value (a unique name, short / long
  DNS hostname, IP address, etc.)

appFunctionMetrics = (ON|OFF)
* Optional.  Only one of the two values can be specified.
* This setting determines whether or not detailed internal performance metrics are gathered
  by the engine and is most useful for detailed debugging and performance profiling of the
  engine's internal operation.  The data contains information about key internal functions
  and important VMware API (SDK) functions.  When enabled, the data is captured and sent to
  the front-end (Splunk App for VMware) for additional analysis.
* This setting is typically used in the [default] stanza, not in regular stanzas.  It can be
  used in regular stanzas if there is a specific target VC machine or ESX/i host that only you
  want to gather data about (but not other ones).
* The default value is "OFF", so no data will be gathered.
* This setting causes additional data to be forwarded to the _internal index (with 
  sourcetype=vmware:_internal) and therefore uses some additional storage.  However, these
  events do not count towards daily licensing volume.

customInvSourceWhitelist = <regex>
* Optional.  The perl compatible regular expression that matches the inventory data sources you
  wish to *include* during data collection.  If your PCRE skills are rusty, just remember
  that source names should be separated by "|" (with no surrounding spaces) and you should be
  fine.
* This setting is used to provide very low-level, fine-grained control over the amount and
  kind of inventory data gathered.  It is used in conjunction with the "inventoryLevel"
  setting (see below).  The engine will only gather the inventory sources whose names match
  the terms of the regex.
* This setting is intended to be used only in the [default] stanza, not in regular stanzas.
  As a result, it can be applied to either VC machines or ESX/i hosts, as determined by which
  regular stanzas specify the "inventoryLevel" setting.
* Generally speaking, you should *not* attempt to use this setting unless you are a Splunk for
  VMware expert and understand exactly how the custom source list will affect the front-end
  (Splunk App for VMware).  The list of potential sources is very large, and it will be very
  easy to make the solution appear to break.
* NOTE: This setting is *only* applied when the "inventoryLevel=Custom" setting is placed in a
  stanza (see below).  It is ignored for all other cases (i.e. stanzas that do not have the
  "inventoryLevel" setting specified, or when it is set to "Required").
* Valid inventory source names map directly to objects in the VMware API Reference.  The
  list of valid source names is too large to list here.  Please see the VMware API Reference
  documentation for more information:
    http://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/index.html
  Look at the "Managed Object Types" and "Data Object Types" sections of the doc to see the
  available source names (can be found on the left side of the page).
* If this setting is not specified or it is left blank (no value), but "inventoryLevel=Custom"
  is set in a stanza, all sources are included in inventory collection in that stanza by
  default.
* Because sources can be specified with a regex, it is possible to capture many sources at
  once.  For example, if you want to collect all HostSystem-related inventory objects, most
  of them can be captured by including the string "Host" in the regex, which will match all
  source names that contain the string "Host".
* If both customInvSourceWhitelist and customInvSourceBlacklist are specified, a source is
  collected only when it matches the customInvSourceWhitelist regex but does *not* match
  the customInvSourceBlacklist regex.
* We recommend not using this setting at all and leaving "inventoryLevel" unspecified in
  stanzas so that "all" inventory data is collected.  If you filter out certain inventory
  sources, certain views in the front-end (Splunk App for VMware) will appear to break.

customInvSourceBlacklist = <regex>
* Optional.  The perl compatible regular expression that matches the inventory data sources you
  wish to *exclude* during data collection.  If your PCRE skills are rusty, just remember
  that source names should be separated by "|" (with no surrounding spaces) and you should be
  fine.
* This setting is used to provide very low-level, fine-grained control over the amount and
  kind of inventory data gathered.  It is used in conjunction with the "inventoryLevel"
  setting (see below).  The engine will not gather the inventory sources whose names match
  the terms of the regex.
* This setting is intended to be used only in the [default] stanza, not in regular stanzas.
  As a result, it can be applied to either VC machines or ESX/i hosts, as determined by which
  regular stanzas specify the "inventoryLevel" setting.
* Generally speaking, you should *not* attempt to use this setting unless you are a Splunk for
  VMware expert and understand exactly how the custom source list will affect the front-end
  (Splunk App for VMware).  The list of potential sources is very large, and it will be very
  easy to make the solution appear to break.
* NOTE: This setting is *only* applied when the "inventoryLevel=Custom" setting is placed in a
  stanza (see below).  It is ignored for all other cases (i.e. stanzas that do not have the
  "inventoryLevel" setting specified, or when it is set to "Required").
* Valid inventory source names map directly to objects in the VMware API Reference.  The
  list of valid source names is too large to list here.  Please see the VMware API Reference
  documentation for more information:
    http://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/index.html
  Look at the "Managed Object Types" and "Data Object Types" sections of the doc to see the
  available source names (can be found on the left side of the page).
* If this setting is not specified, but "inventoryLevel=Custom" is set in a stanza, no sources
  will be excluded from inventory collection in that stanza by default.
* If this setting is specified and left blank (no value), but “inventoryLevel=Custom” is set
  in a stanza, *all* sources will be excluded from inventory collection in that stanza by
  default.  In other words, don’t ever leave this setting blank.
* Because sources can be specified with a regex, it is possible to capture many sources at
  once.  For example, if you want exclude all HostSystem-related inventory objects from
  collection, most of them can be specified by including the string "Host" in the regex,
  which will match all source names that include the string "Host".
* If both customInvSourceWhitelist and customInvSourceBlacklist are specified, a source is
  collected only when it matches the customInvSourceWhitelist regex but does *not* match
  the customInvSourceBlacklist regex.
* We recommend not using this setting at all and leaving "inventoryLevel" unspecified in
  stanzas so that "all" inventory data is collected.  If you filter out certain inventory
  sources, certain views in the front-end (Splunk App for VMware) will appear to break.

hierarchyExpiration = <seconds>
* Optional.  If left unspecified, the default value is 900 (15 minutes).
* This is an advanced setting and typically should not be changed from the default value.
  Specifying a time above 30 minutes (1800 seconds) can cause certain hierarchy-based
  summary indexes in the front-end App to produce incorrect results.
* This setting is primarily used to set the time window over which the engine gathers the
  entire hierarchy data snapshot plus any wait time.  If a hierarchy snapshot completes in
  less than the specified time value, hierarchy collection will wait until the total time
  (execution + wait time) is equal to or greater than the specified value before starting
  again.
* When the time window expires, the engine will allow a new, full snapshot of the hierarchy
  data to start gathering.  It can be useful in large environments where the engine may
  take a long time to gather the entire hierarchy.  In these cases, the time expiration
  window should be set to a value that is slightly longer than the amount of time
  HierarchyDiscovery takes to gather the entire hierarchy from the entire environment.
* This setting is intended to be used only in the [default] stanza, not in regular stanzas.
  As a result, it can be applied to either VC machines or ESX/i hosts, as determined by which
  regular stanzas specify the "action=HierarchyDiscovery" setting.
* Note:  If you set the expiration window to a value that is too small relative to the
  hierarchy size, hierarchy data collection will "snap" to the next available time window.
  For example, if the window is set to 15 minutes, but collection takes 20 minutes, hierarchy
  data collection will not start again until the 30 minute mark.  While this does not cause
  immediate problems, it is best to set the window correctly to most efficiently gather the
  data as fast as possible.  This is particularly important if the VMware environment is
  undergoing a lot of changes over a short period of time or there is a strong desire to
  gather data and see changes as close to real-time as possible.  However, setting the
  expiration window too small can cause other problems, such as creating contention for engine
  execution time, and that can lead gaps in other kinds of data that the same engine instance
  is supposed to gather.  As a result, we do *not* recommend setting this value to be lower
  than 5 minutes because it can cause too much data collection and other problems, even in
  small environments.
* This setting can also be used as a coarse-grained way to control the amount of hierarchy data
  that the solution collects.  If your hierarchy doesn't change very often, or you are willing
  to live with using older data (vs. closer to real-time) as a way to keep licensing costs low,
  then you can set this value higher.  By setting the value higher, the engine will gather data
  less frequency - i.e. a bigger time window means that new, full hierarchy updates are
  collected less often.  However, note that the amount of hierarchy data collected is small
  relative to other kinds of data (e.g. logs, inventory, performance).  Therefore, from a
  practical standpoint, there may be little savings from limiting hierarchy data and it is
  normally better to fine-tune other data sources first.

hierarchyTimeSlot = <seconds>
* Optional.  If left unspecified, the default value is 10 seconds.
* This is the amount of time that HierarchyDiscovery will pull hierarchy data before stopping
  and letting another discovery module run.
* This setting is intended to only be used in the [default] stanza, not in regular stanzas.
  As a result, it can be applied to either VC machines or ESX/i hosts, as determined by which
  regular stanzas specify the "action=HierarchyDiscovery" setting.
* If the VMware environment is large, it may make sense to increase this value substantially.
  From a Splunk for VMware Solution perspective, the size of an environment is measured by the
  number of ESX/i hosts and VMs managed by VC instances.  Note that the number of ESX/i hosts
  under management by VCs may be much larger than the subset of hosts that the VMware Solution
  is supposed to monitor (as configured in one or more engine.conf files).  See the user
  documentation for a more detailed discussion of what a "large" environment looks like.  
* Generally, the time slot value can be increased when an engine instance is dedicated to
  hierarchy data collection because there is less risk of starving other data collection
  actions (e.g. inventory, performance, etc.)
* We recommend that this value be set smaller than the "interval" setting's value.

inventoryExpiration = <seconds>
* Optional.  If left unspecified, the default value is 900 (15 minutes).
* This is the amount of time that InventoryDiscovery will run before starting a new, full
  update of the inventory data.
* This is an advanced setting and typically should not be changed from the default value.
  Specifying a time above 2 hours (7200 seconds) can cause certain inventory-based
  summary indexes in the front-end App to produce incorrect results.
* This setting is primarily used to set the time window over which the engine gathers the
  entire inventory data set one time and only getting changes to existing objects.  When the
  time window expires, the engine will mark all inventory objects as "stale" and start to get
  a new, full update.  It is especially useful in large environments where the engine may take
  a long time to gather the entire inventory.  In the typical case, the time expiration
  window should be set to a value that is slightly longer than the amount of time
  InventoryDiscovery takes to gather the entire inventory from the target VC machine or ESX/i
  host.
* This setting is intended to only be used in the [default] stanza, not in regular stanzas.
  As a result, it can be applied to either VC machines or ESX/i hosts, as determined by which
  regular stanzas specify the "action=InventoryDiscovery" setting.
* Note:  If you set the expiration window to a value that is too small relative to the
  inventory size, inventory collection can "back up" because the engine will start updating
  existing inventory data while also still trying to gather new inventory objects.  This can
  cause problems, the biggest of which is contention for engine execution time, and that can
  lead gaps in other kinds of data that the same engine instance is supposed to gather.  As a
  result, we do *not* recommend setting this value to be lower than 15 minutes because it can
  cause too much data collection and other problems, even in small environments.
* This setting can also be used as a coarse-grained way to control the amount of inventory data
  that the solution collects.  If your inventory doesn't change very often, or you are
  willing to live with using older data (vs. closer to real-time) as a way to keep licensing
  costs low, then you can set this value higher.  By setting the value higher, the engine will
  gather data less frequency - i.e. a bigger time window means that new, full inventory updates
  are collected less often.


#******************************************************************************
# This describes the format for a regular engine.conf stanza
#******************************************************************************

[<server spec>]
* The stanza name (<server_spec>) should not contain underscores ("_").
* Each stanza in engine.conf defines the specific data collection and other behaviors that
  the engine should use for each vCenter Server (VC) and / or ESX/i host that it interacts with.
* Each stanza in a given engine.conf file *must* have a unique name.  The exact value used
  for the stanza name is not terribly important, as long as it is unique.
* The attributes defined under each stanza heading are used to set specific properties for
  a given VMware entity targeted by the stanza (i.e. a VC machine or ESX/i host) .  Note: A
  stanza can only target one VMware machine at a time as defined by the url setting (see below).
* For recommendations on how best to structure your engine.conf file(s) and define stanzas
  appropriately for different kinds and sizes of VMware environments, please refer to the user
  documentation.
* Note:  it is common practice to repeat target machines (VCs or ESX/i hosts) in stanzas but use
  different "action" settings (see below) in order to closely control the data gathering
  behavior of an engine instance.


#******************************************************************************
# The possible attribute / value pairs for regular engine.conf stanzas and their
# default values are as follows:
#******************************************************************************

url = <URL>
* The URL to connect to; it is the same value as the variable VI_URL in the VMware SDK.
* The value has the following format:  https://<host name or ip address>/sdk/webService
* This setting determines which target VC machine or ESX/i host that the engine will connect
  to and gather data from.
* This setting is intended to only be used in regular stanzas, not in the [default] stanza.
  It can be used to target both VC machines and ESX/i hosts for data collection.

username = <username>
* The username to login to the url; it is the same value as the variable VI_USERNAME in
  the VMware SDK.
* This setting is not needed if you have created a credentials.conf file and it contains a
  stanza that includes the VC or ESX/i host specified by the given stanza.
* This setting is generally intended to only be used in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same username
  setting.  It can be applied to either VC or ESX/i host stanzas.

password = <password>
* The password to login to the url; it is the same value as variable VI_PASSWORD in the
  VMware SDK.
* This setting is not needed if you have created a credentials.conf file and it contains a
  stanza that includes the VC or ESX/i host specified by the given stanza.
* This setting is generally intended to only be used in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same password
  setting.  It can be applied to either VC or ESX/i host stanzas.

host = <name>
* Optional, but we recommend setting this for all stanzas that target VC machines and
  "unmanaged" ESX/i hosts.  An unmanaged ESX/i host is one that is not managed by any VC
  instance.
* This setting is intended to only be used in regular stanzas, not in the [default] stanza.
  It can be applied to either VC or ESX/i host stanzas.
* For a VC machine or an unmanaged ESX/i host, this setting is important because it becomes
  the value of the "host" field for all data events generated by the engine.  Since this is
  really just a string label, it can be any value (a unique name, short / long DNS hostname,
  IP address, etc.)
* For VC machines, this should be set to the "VC instance name" - i.e. the name of the root
  node in the VC's "Hosts and Clusters" view as seen in the vSphere Client.
* For unmanaged ESX/i hosts, this value should be the same as the first name in /etc/hosts
  in the ESX/i host. With the requrement satisfied, it is best to set this value to a label
  that is similar to the host's fully qualified domain name (if it were present in DNS).
* If left unspecified for a VC machine or an unmanaged ESX/i host, the default value is the
  host name or IP address used in the url setting.
* For a "managed" ESX/i host (one that is managed by a VC instance), this setting is ignored.
  Instead, the value of the "host" field is set automatically based on the name of the host
  as shown in the "Hosts and Clusters" tree view within VC.

action = <module-list>
* Optional. The list of modules (delimited by commas) to run against the specified machine
  (as determined by the url setting).  Each module gets a particular kind of data from VMware
  and sends it to the relevant Splunk indexer(s) as determined by outputs.conf.
* This setting is typically given values based on the kind of machine to get data from (e.g. a
  VC machine or an ESX/i host).  Even if this value is not present, the TimeDiscovery action
  will be performed.
* This setting is generally intended to only be used in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same action setting.
  Putting this setting in the [default] stanza would be unusual because it is typically most
  useful to get different kinds of data from different kinds of machines, which implies that
  most "action" settings will be different from stanza to stanza (e.g. VC machines provide
  different kinds of data vs. ESX/i hosts).  The obvious exception to this is when a given
  engine instance (and its engine.conf file) only covers one or two actions that are common
  across all of the stanzas.  For example, this might happen when an engine instance is
  dedicated to getting hierarchy data, and therefore all stanzas would have the setting
  "action=HierarchyDiscovery".  It can be applied to either VC or ESX/i host stanzas.
* The only time that the action setting should be unspecified or set to blank (no value), is
  when telling the Engine how to reach a particular VC instance but gather no data.  This
  should only be done when an engine.conf file tells the engine to get performance data from
  an ESX/i host (using the PerfDiscovery action) and doesn't actually need to get other kinds
  of data from VC.
* Available discovery actions are:
  - InventoryDiscovery
  - HierarchyDiscovery
  - PerfDiscovery
  - EventDiscovery
  - TaskDiscovery
  - LogDiscovery
* Note:  Each action may have some special constraints, as follows:
  a) InventoryDiscovery:  For inventory, there are no special constraints other than paying
     careful attention to inventory collection times and setting inventoryExpiration
     appropriately (see above for a description).
     - Note:  In almost all circumstances, this action should only be applied to VC or
     unmanaged ESX/i host stanzas (i.e. ESX/i hosts that are not managed by any VC).
     Inventory data for managed ESX/i hosts is collected via VC.
  b) HierarchyDiscovery:  For hierarchy, there is 1 special constraint beyond paying careful
     attention to hierarchy collection timing by setting the hierarchyExpiration and / or
     hierarchyTimeSlot appropriately (see above for descriptions).  In order to make the
     solution work properly, all stanzas with "action=HierarchyDiscovery" *must* be run by the
     same engine instance.  Therefore, all stanzas with hierarchy actions must be located in a
     single engine.conf file.  This is currently needed in order to ensure that all hierarchy
     data is captured in a single "snapshot".  In a future release, multiple concurrent
     hierarchy snapshots will be supported and this restriction will be removed.  But for now,
     it is important not to place HierarchyDiscovery actions in different engine.conf files.
     - Note:  Under normal circumstances, this action should be applied to every VC and ESX/i
     host (managed and unmanaged) to be monitored by the solution.
  c) PerfDiscovery:  In order to make the solution handle performance data properly, if a
     stanza gets performance data from a managed ESX/i host, a stanza for its associated VC
     machine *must* also be placed in the same engine.conf file.  The "action" field in the VC
     stanza can be missing or blank if no other kinds of data need to be gathered from the given
     VC in the given engine instance.  That is, what matters is that the engine knows how to
     reach the host's associated VC (using the url setting).
     Here are some clarifying examples:
     - Example 1:  Assume that VC #1 manages ESX/i host "A" (i.e. it is a "managed" host) and 
     there is already a stanza to get data from VC #1 in the engine.conf file.  In this case,
     there is no need to do anything special.  Simply specify the "A" ESX/i host's stanza
     normally (with "action=PerfDiscovery,...") and the solution will work properly.
     - Example 2:  Assume that VC #1 manages ESX/i host "A" but there is no stanza to get data
     from VC #1 in the engine.conf file because a different engine instance is getting VC
     inventory data (and thus the inventory data gathering configuration is in a different
     engine.conf file).  In this case, you *must* place a stanza for VC #1 in the engine.conf
     file anyway and the solution will work properly.  In this case, the VC #1 stanza can have
     "action=" or simply be left unspecified.
     - Note:  Under normal circumstances, this action should be applied to every ESX/i host
     (managed or unmanaged) to be monitored for performance data.  It should also be applied to
     every VC to be monitored by the solution and used in conjunction with the
     perfManagedEntityWhitelist setting to limit the amount of performance data collected from
     VC (see description below).
  d) EventDiscovery:  For VMware events, there are no special constraints.  Note:  Under normal
     circumstances, this action should only be applied to VC or unmanaged ESX/i host stanzas
     (i.e. ESX/i hosts that are not managed by any VC).  VMware event data for managed ESX/i
     hosts is collected via VC.
  e) TaskDiscovery:  For VMware tasks, there are no special constraints.  Note:  Under normal
     circumstances, this action should be applied to every VC and ESX/i host (managed and
     unmanaged) to be monitored by the solution.
  f) LogDiscovery:  For ESX/i host logs, there are no special constraints.  Note:  Under normal
     circumstances, this action should only be applied to ESX/i host stanzas (managed or
     unmanaged).  VC log data is collected via the vCenter Server Add-on solution component.
  For more information about this topic, please see the user documentation explanation of
  special constraints on engine.conf files.

disabledAction = <module-list>
* Optional. The list of modules (delimited by commas) to disable.
* This value has higher priority than the action setting.
* This setting is intended to only be used in regular stanzas, not in the [default] stanza.
  It can be applied to either VC or ESX/i host stanzas.
* This setting is rarely used.  It is really only useful when a set of actions has been
  specified in the [default] stanza (which is unusual) and this setting is used to selectively
  turn off some of the default actions.

interval = <seconds>
* Optional.  This is the amount of time (in seconds) that the Engine waits in-between invoking
  different actions in a given stanza.  If this value is not present, a default value of 3
  seconds will be used.
* For example, if an Engine.conf stanza shows "Action=InventoryDiscovery, HierarchyDiscovery",
  then the engine will invoke InventoryDiscovery (which will run until it hits a stopping
  point), then the engine will then wait 3 seconds before it calls HierarchyDiscovery.
* This setting is generally intended to only be used in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same interval setting.
  Putting this setting in the [default] stanza would be unusual because it is typically most
  useful to get different kinds of data at different intervals, which implies that most
  "interval" settings will be different from stanza to stanza based on the action, which
  determines the type of data to collect (e.g. task data is collected at a different interval
  vs. performance data).  The obvious exception to this is when a given engine instance (and
  its engine.conf file) only covers one or two actions that have a common interval across all
  of the stanzas.  For example, this might happen when an engine instance is dedicated to
  getting hierarchy data at a common interval (e.g. 3 seconds), and therefore all stanzas
  would have the setting "interval=3".  It can be applied to either VC or ESX/i host stanzas.

invBlacklist = <regex>
* Optional.  The perl compatible regular expression that matches the managed entities to
  filter out of inventory collection.  If your PCRE skills are rusty, just remember that
  entity names should be separated by "|" (with no surrounding spaces) and you should be
  fine.
* This setting is used to provide high-level control over the amount of inventory data to
  be collected.  When combined with other inventory data controls (e.g. inventoryLevel),
  this can provide decent control over the amount and kinds of inventory data that the
  engine should collect.  Both the invBlacklist and inventoryLevel can be specified at the
  same time.  By default, inventory collection covers all of the major managed entities
  and their children.  The invBlacklist is first applied (to eliminate large parts of the
  inventory tree at the managed entity level), and then the inventoryLevel will be applied
  (to select only specific sources out of what is left).
* This setting is generally intended to be only used in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same blacklist
  setting.  It can be applied to either VC or ESX/i host stanzas.  It should only be used in
  stanzas where the "action=InventoryDiscovery" setting is specified.
* Managed entities are key high-level inventory objects.  Most other inventory objects are
  lower-level children of a managed entity.  If a given managed entity is filtered out using
  the blacklist, then its children are also filtered out.  For example, if HostSystems are
  blacklisted from inventory data collection, then related child objects like vNICs and
  vHBAs will also be filtered out.
* Valid managed entities are:
  - ClusterComputeResource
  - ComputeResource
  - Datacenter
  - Folder
  - HostSystem
  - ResourcePool
  - VirtualMachine
* If this value is not present, all of the above managed entities are collected.
* We recommend leaving this setting unspecified so that inventory data for all types of
  managed entities are gathered.  If you filter out certain types of managed entities,
  certain views in the front-end (Splunk App for VMware) will appear to break.

inventoryLevel = (All | Required | Custom)
* Optional.  Only one of the three values can be specified.
* This setting is used to provide fine-tune controls on the amount of inventory data to
  be collected.  When combined with other inventory data controls (e.g. invBlacklist), this
  can provide decent control over the amount and kinds of inventory data that the engine
  should collect.  Both the invBlacklist and inventoryLevel can be specified at the
  same time.  By default, inventory collection covers all of the major managed entities and
  their children.  The invBlacklist is first applied (to eliminate large parts of the
  inventory tree at the managed entity level), and then the inventoryLevel will be applied
  (to select only specific sources out of what is left).
* This setting is generally intended to be used only in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same inventoryLevel
  setting.  It can be applied to either VC or ESX/i host stanzas.  It should only be used in
  stanzas where the "action=InventoryDiscovery" setting is specified.
* The default value is "All", and data about all available inventory sources will be gathered.
* If set to "Required", only a small set of predefined sources are collected - i.e. the sources
  that are needed to populate all of the views in the front-end (Splunk App for VMware).
* If set to "Custom", the customInvSourceWhitelist and customInvSourceBlacklist settings
  are used to determine exactly which sources will be gathered (see above).
* We recommend leaving this setting unspecified so that all inventory data is gathered.  If
  you choose a custom level and forget to specify certain required types of inventory data,
  certain views in the front-end (Splunk App for VMware) will appear to break.

perfManagedEntityWhitelist = <regex>
* Optional. The perl compatible regular expression that matches the managed entities
  types you wish to gather performance data about.  If your PCRE skills are rusty, just
  remember that entity names should be separated by "|" (with no surrounding spaces) and you
  should be fine.
* This setting is used to provide high-level control over the amount of performance data
  to collect.  It is used to select specific managed entities and add them to the performance
  data collection action.  When combined with mid-level performance data type controls (e.g.
  perfTypeWhitelist), this can provide fairly fine-grained control over the amount and kinds
  of performance data that the engine should collect.  Both whitelists can be specified at
  the same time.  The managed entity list is applied first (to select specific managed
  entities), and then the performance data type list is applied (to select the types of
  performance data on the given managed entities to collect).
* This setting is generally intended to be used only in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same whitelist
  setting.  It can be applied to either VC or ESX/i host stanzas.  It should only be used
  in stanzas where the "action=PerfDiscovery" setting is specified.
* The allowed entity names are:
  - ClusterComputeResource
  - HostSystem
  - ResourcePool
  - VirtualApp
  - VirtualMachine
* If this setting is not present, or no value is provided, all of the above managed
  entities are collected.
* We recommend setting perfManagedEntityWhitelist to the value "ClusterComputeResource"
  when getting performance data from VC (i.e. in a stanza with a url setting pointed at a
  VC machine) and to simply omit this setting for stanzas that get data from ESX/i hosts.
  If you forget to specify certain types of performance data, certain views in the
  front-end (Splunk App for VMware) will appear to break.

perfTypeWhitelist = <regex>
* Optional. The perl compatible regular expression that matches the type of performance
  data you wish to collect.  If your PCRE skills are rusty, just remember that performance
  data type names should be separated by "|" (with no surrounding spaces) and you should be
  fine.
* This setting is used to provide mid-level control over the types of performance data to
  collect.  It is used to select specific types of performance data and add them to the
  performance data collection action.  When combined with managed high-level managed entity
  controls (e.g. perfManagedEntityWhitelist), this can provide fairly fine-grained control
  over the amount and kinds of performance data that the engine should collect.  Both
  whitelists can be specified at the same time.  The managed entity list is applied first
  (to select specific managed entities), and then the performance data type list is applied
  (to select the types of performance data on the given managed entities to collect).
* This setting is generally intended to be used only in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same whitelist
  setting.  It can be applied to either VC or ESX/i host stanzas.  It should only be used
  in stanzas where the "action=PerfDiscovery" setting is specified.
* The allowed performance type values include:
  - cpu
  - disk
  - net
  - mem
  - power
  - vmop
  - dStore (datastore)
  - clSvcs (clusterServices)
  - mAgent (managementAgent)
  - sAdapt (storageAdapter)
  - sPath  (storagePath)
  - resCpu (rescpu)
  - vDisk  (virtualDisk)
  - vcDbg  (vcDebugInfo)
  - vcRes  (vcResources)
  - sys    (system)
* If this value is not present, all of the above performance types are collected.
* We recommend leaving this setting unspecified so that all types of performance data are
  gathered.  If you forget to specify certain types of performance data, certain views in
  the front-end (Splunk App for VMware) will appear to break.

perfLevel = <level>
* Optional.  Valid levels are 1, 2, 3, or 4 (note: only one "level" value can be set at a
  time.)  The default level is 4.
* This setting is used to provide high-level control over the amount of performance data
  gathered from VC machines.
* This setting is generally intended to be used only in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same perfLevel
  setting.  It can only be applied to VC stanzas.  It should only be used in stanzas where
  the "action=PerfDiscovery" setting is specified.
* It defines the amount of performance data that the engine will gather by "level".  Each
  performance metric in VMware has an associated "level".  This is explained in the VMware
  API Reference:
    http://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/vim.HistoricalInterval.html#level
  The higher the level, the more performance metrics that will be gathered.
* This setting can only be used in a VC stanza (i.e. in a stanza with a url setting pointed
  at a VC machine) because only VC machines classify performance metrics by level.  In other
  kinds of stanzas, the setting will be ignored.
* Each level value includes all of the metrics with lower level values.  For example, if
  the <level> is set to "2", the engine will collect all level 1 and 2 performance counters.
* This setting does NOT affect the amount of data collected by vSphere itself; it only
  affects the amount of performance data that the engine collects from VC and ESX/i hosts
  using the "level" mechanism that they already understand.

perfInstanceData = (ON|OFF)
* Optional. Only one of the two values can be specified.
* This setting is used to provide high-level control over the amount of performance data to
  collect. It is used to specify whether instance data should be collected or not. Instance
  identifies specific devices reporting a type of metric. For example, vmnic0 stands for a
  virtual Ethernet adapter. For the definition of instance data, please see
  http://pubs.vmware.com/vsphere-50/topic/com.vmware.wssdk.pg.doc_50/PG_Ch16_Performance.18.2.html .
* If the setting is "OFF", engine will not collect instance data, but still collect aggregate
  data. When combined with entity controls (e.g. perfManagedEntityWhitelist)
  and data type controls (e.g. perfTypeWhitelist), this can provide fairly fine-grained
  control over the amount and kinds of performance data that the engine should collect.
* This setting is generally intended to be used only in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same whitelist
  setting. It can be applied to either VC or ESX/i host stanzas. It should only be used
  in stanzas where the "action=PerfDiscovery" setting is specified.
* The default value is "OFF". If this setting is not present, or no value is provided,
  only aggregate data is collected.

perfInstanceDataPerfTypeBlacklist  = (All|None|<perftype-list>)
* Optional. This value can be set to "All", "None", or a perftype-list.  The perftype-list is a 
  list of perftype delimited by "|".  Here are the performance type that has performance data for 
  its instance and the meaning of instance.
  - cpu : core of CPU
  - disk : individual disk
  - mAgent : individual managementAgent(hostd, vpxd, and so on)
  - net : individual physical or virtual NICs and other network devices (such as virtual switch)
  - sPath : specific storage path
  - sys : the phsycial system resource 
  - vDisk : individual virtual disk
* This setting is used to adjust the type of instance data only when perfInstanceData is "ON".  
  If this value is set to "All", it is equivalent to set perfInstanceData to "OFF".  In short, 
  perfInstanceData has higher priority than this field.
* This setting is generally intended to be used only in regular stanzas, but it can also be placed 
  in the [default] stanza if all stanzas are supposed to use the same setting. It can be applied to 
  either VC or ESX/i host stanzas. It should only be used in stanzas where the "action=PerfDiscovery" 
  setting is specified.
* The default value is "sys|cpu|mAgent" which reports performance data for disk related and network 
  instances.
  
eventHistory = <hours>
* Optional. The event history specifies the number of hours you wish to go back in time to
  collect VMware events.
* This setting is generally intended to be used only in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same eventHistory
  setting.  It can be applied to either VC or ESX/i host stanzas.  It should only be used in
  stanzas where the "action=EventDiscovery" setting is specified.
* Increasing the eventHistory value increases the amount of time the EventDiscovery
  module takes on its first pass, which increases the time it takes for Splunk to start
  processing data from VMware.
* If this value is not present, event collection starts at the time when the EventDiscovery
  module begins running.

eventWhitelist = <regex>
* Optional. The perl compatible regular expression that matches the types of VMware event 
  data you wish to collect.  If your PCRE skills are rusty, just remember that event names
  should be separated by "|" (with no surrounding spaces) and you should be fine.
* This setting is generally intended to be used only in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same whitelist
  setting.  It can be applied to either VC or ESX/i host stanzas.  It should only be used in
  stanzas where the "action=EventDiscovery" setting is specified.
* The value matches event types, which can be found in the VMware API Reference:
    http://www.vmware.com/support/developer/vc-sdk/visdk41pubs/ApiReference/index.html
* If this value is not present, all available VMware event types will be collected.

logWhitelist = <regex>
* Optional. The perl compatible regular expression that matches log files to be collected.
  If your PCRE skills are rusty, just remember that log file names should be separated by "|"
  (with no surrounding spaces) and you should be fine.
* This setting is generally intended to be used only in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same whitelist
  setting.  It can only be applied to ESX/i host stanzas.  It should only be used in
  stanzas where the "action=LogDiscovery" setting is specified.
* Valid values for an ESXi host are:
    /var/log/vmware/hostd.log
    /var/log/messages
    /var/log/vmware/vpx/vpxa.log
* Valid values for an ESX host are:
    /var/log/vmware/hostd.log
    /var/log/messages
    /var/log/vmware/vpx/vpxa.log
    /var/log/vmkernel
    /var/log/vmksummary.txt
    /var/log/vmkwarning
* The value is matched against the full log file name and path on the ESX/i host.  Since a
  PCRE is used for matching, it is sufficient to simply give the short form of the log
  name.  For example, you can specify "hostd" to get the hostd.log file – you do *not*
  need to specify the full path.
* If this value is not present, all logs will be collected.

taskHistory = <hours>
* Optional. The task history specifies the number of hours you wish to go back in time to
  collect tasks.
* This setting is generally intended to be used only in regular stanzas, but it can also be
  placed in the [default] stanza if all stanzas are supposed to use the same taskHistory
  setting.  It can be applied to either VC or ESX/i host stanzas.  It should only be used
  in stanzas where the "action=TaskDiscovery" setting is specified.
* Increasing the taskHistory value increases the amount of time the TaskDiscovery
  module takes on its first pass, which increases the time it takes for Splunk
  to start processing data from VMware.  Given that task collection is a relatively short
  operation anyway, the added time should not have a big impact.
* If this value is not present, it defaults to 5 times the "interval" value (in seconds).
Last modified on 19 September, 2012
engine.template   credentials.conf example

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters