Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Modifying configuration files

As a Splunk administrator you can deep dive into how the engine configuration works so that they can fine tune data collection in your environment. Troubleshooting your environment is also best done manually. Having an understanding of the files and configurations set up for your environment enables you to deep dive and solve problems that may otherwise take longer to diagnose. To understand engine.conf in more detail we manually create a simple engine.conf file.

To configure engine.conf and inputs.conf on larger scales to meet the needs of your environment, see "Scaling your deployment" in this manual. To look at configuration file examples, see "engine.conf examples" in this manual.

Create engine.conf and inputs.conf files

This example uses the most basic case to configure the engine to collect data in a small scale environment. We define a small scale environment to be small C, one that is managing 10 or fewer ESX/i hosts in total, and a small number of ESX/i hosts (fewer than 10).

You will create an engine.conf file to collect your data and create an inputs.conf file to run an instance of the engine, the main data collection module inside the FA VM. Engine instances are run by Splunk based on the stanzas found in the iinputs.conf file.

Create a single engine.conf file

To create a simple engine.conf file:

  1. Log into the FA VM as the splunkadmin user.
  2. Stop Splunk. On boot-up, the FA automatically starts Splunk (Splunk is already in your path).

splunk stop

  1. Go to the Splunk Technology Add-on for VMware (Splunk_TA_vmware) "local" directory:
    cd $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local
  2. In a text editor create the engine.conf file. Note that if you use the default engine instance, you must name the file engine.conf

Create a default stanza

Use a default stanza to assign settings on a one time basis. Set the FA attribute to the value you used for the FA VM's OS hostname when you configured the FA. In this example it is splunkfa1. If you did not set the FA VM's OS hostname, do so before creating the engine.conf file. See Configure default properties for the FA VM in this manual. Note: In a small environment you do not have to reset expiration timers.

[default]
fa = splunkfa1

Configure vCenter Server data inputs

In a simple engine.conf file, the first stanza is typically used to get data from vCenter Server (VC). In this example, we get many different types of data from one vCenter using a single stanza. We collect inventory, hierarchy, tasks, events, and some VC-only performance data. In a larger environment, you may need multiple stanzas for a single vCenter or multiple engine.conf files.

  1. Create a stanza for VC#1 in your environment.
  2. Use a single stanza to get all 5 types of data from VC.
  3. Assign the host setting for VC machines to match the "VC instance name".
    • In this example the VC instance name for VC1 is “VMWARE-VC1"
    • The VC instance name is the name of the root node in the vCenter's "Hosts and Clusters" view as seen in the vSphere Client. Note that the VC instance name is not the vCenters OS hostname, computer name, or DNS alias.
[vc1]
url = https://vc1.company.com/sdk/webService
host = VMWARE-VC1
username = <vc_splunk_username>
password = <vc_splunkuser_password>
action = HierarchyDiscovery, InventoryDiscovery, PerfDiscovery, TaskDiscovery, EventDiscovery
perfManagedEntityWhitelist = ClusterComputeResource|ResourcePool
interval = 1

Configure ESX/i host data inputs

When you have defined the inputs for the vCenter, you can now add stanzas to collect data from the ESX/i hosts you want to monitor. The monitored hosts should be managed by the vCenter specified in the previous stanza. In this example we collect the data we want (performance, task, event, and log data) from two ESX/i hosts. In a larger environment, you can use multiple stanzas for a single ESX/i host (or multiple engine.conf files). Note: There are no inherent limits to the number of hosts that a given FA VM can monitor. In this simple example we recommend using 10 ESX/i hosts. To learn more about:

Continuing the example you will add the following after the VC stanza in the same engine.conf file:

  1. Create a stanza for each ESX/i host managed by VC#1 that you also want to monitor.
  2. Use a single stanza to get all types of data from each ESX/i host. As this is a managed host, you do not need to assign the host setting.
  3. Create more stanzas. You can add up to 10 ESX/i hosts managed by VC#1.
[host1inVC1]
url = https://host1_in_vc1.company.com/sdk/webService
username = <esx_splunk_username>
password = <esx_splunk_password>
action = PerfDiscovery, LogDiscovery, TaskDiscovery, EventDiscovery
interval = 1

[host2inVC1]
url = https://host2_in_vc1.company.com/sdk/webService
username = <esx_splunk_username>
password = <esx_splunk_password>
action = PerfDiscovery, LogDiscovery, TaskDiscovery, EventDiscovery
interval = 1

Create a single inputs.conf file

Now that you have the engine.conf file configured, you can create the inputs.conf file. You must create a "scripted input" that calls the engine and takes the absolute path of the engine.conf file as an argument. While multiple engines can run concurrently, the example here only runs one instance (the "default engine instance").

Stop Splunk and create a simple inputs.conf file

This example is based on a small environment ( less than 10 ESX/i hosts managed by a single vCenter ). You can take advantage of the default engine instance by turning it on with a simple inputs.conf file. In a small environment you only need to run a single engine instance. In this case, you create a single engine.conf file in the local directory and a simple inputs.conf file. When the FA VM boots up, it automatically runs a Splunk heavy forwarder, but the default engine instance defined in $SPLUNK_HOME/etc/apps/splunk_for_vmware_appliance/default is initially disabled.

To turn on the default engine instance:

  1. If you have not already done so, log into the FA VM as the splunkadmin user.
  2. Stop Splunk if it is running (Splunk is in your path):
    splunk stop
  3. Go into the Splunk Technology Add-on for VMware (TA-vmware) local directory:
    cd $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local
  4. In a text editor create the inputs.conf file.
  5. Add the following lines to the file to set the host attribute for all FA VM-specific data that is sent to the indexer(s):
    [default]
    host = splunkfa1
    [script://./bin/Engine.pm]
    disabled = false
    • This ensures that the FA’s logs are assigned the correct host field.
    • The value should be the same one you used for the FA VM's OS hostname (during FA VM configuration steps).
    • The value should be the same value used for the “fa” setting in the engine.conf [default] stanza.
    • This example assumes that the FA VM's OS hostname was set to "splunkfa1"
  6. Turn on the default engine instance (stanza found in the TA-vmware's defaults/inputs.conf file)

Note: You do not have to disable the default scripted inputs (found in defaults/inputs.conf) as they are disabled by default.

Start Splunk to run the engine

When you have created and configured engine.conf and inputs.conf for your environment, start Splunk: splunk start When Splunk starts, the engine instance is started by the simple inputs.conf file. The engine looks for the file engine.conf in the local directory and starts collecting data as soon as it locates it.

You have manually configured your FA VM. Do this at any time when you want to change the configuration settings.

Last modified on 10 January, 2013
Password obfuscation   Set the time zone for vCenter log files

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0.2, 1.0.3, 2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters