Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Set the time zone for vCenter log files

Before you set up forwarders on your vCenter Server machines, you must first configure props.conf on your indexer(s) as part of the Splunk App for VMware configuration steps. This step is necessary because it correctly sets the time zone for vCenter (VC) log files, which do NOT contain time zone information. For more information about specifying time zones in props.conf, see the Splunk product documentation: "Apply time zone offsets to timestamps" and the "props.conf" file in the Splunk Admin Manual..

Configure props.conf

A light forwarder (LF) or universal forwarder (UF) does not parse events to get a timestamp. This is done by the indexers. The log data sent by the Splunk Technology Add-on for VMware vCenter (Splunk_TA_vcenter) does NOT include timezone information. This can cause problems when indexers do not reside in the same timezone as the forwarder running the Splunk_TA_vcenter. To resolve this issue, you must add timezone information to props.conf on the indexers as part of the Splunk App for VMware configuration steps.

This topic tells you how to configure the Splunk App for VMware's props.conf with this timezone information on your indexers.

How to set the time zone in props.conf

For each vCenter, add one stanza to props.conf on each of your indexers that will receive data from the TA-VCs (to be installed on each vCenter Server in later steps). If your indexer also functions as an search head, you must still perform these steps. Note: This includes combined indexer / search head installs of Splunk.

  1. Log into your indexer. Make sure you log in as the same user account that was used to install Splunk.
  2. Create the local/props.conf file. On Linux or Unix systems, the props.conf file should be placed in the following location:
  3. $SPLUNK_HOME/etc/apps/Splunk_TA_vcenter/local/props.conf

    If the directory and / or file do not already exist, you will need to create them using OS commands and a basic text editor such as "vi".

  4. Get time zone identifier of the vCenter server. You need to know the time zone of the vCenter server and then find the corresponding time zone identifier string as defined in the TZ Database (these are the standard timezone strings that Splunk uses and understands).
  5. Note: For general information, or to see all valid timezone identifier strings that Splunk will accept, refer to the tz database Wikipedia article and use the identifiers in the column labeled "TZ".

    • If the display language is English on your vCenter server, open a Windows terminal and use the following command to get the time zone of the server.
    • C:\> systeminfo | findstr /C:"Time Zone"

    • If the display language is not English on your vCenter server, use the following Windows command to open the "date/time" window and look at the current time zone setting:
    • C:\> control.exe timedate.cpl

  6. Add a stanza to props.conf on your indexer(s) to specify the vCenter's time zone. The following example shows what the stanza format looks like in general. See the "Time zone examples" section below for examples of real file entries. The vCenter instance name (VC_instance_name) is the name of the root node in the vCenter's "Hosts and Clusters" view as seen in the vSphere Client.
  7. [host::<VC_instance_name>]
    TZ = <timezone identifier>
    

    Note: The VC_instance_name used in this step must match the value used when configuring the Splunk Technology Add-on for VMware vCenter (TA-VC) for this particular VC machine - as discussed in topic "Install the Add-on".

  8. Repeat for each vCenter. Perform the above steps for each vCenter that you plan to get data from.
  9. Save the file. When you have created stanzas for all of your vCenter Servers, save the file and exit your text editor.
  10. Restart your indexer. After you configure the props.conf file with the additional stanza(s), restart your indexer to make the change effective.
  11. Repeat for each indexer. Perform the above steps for each indexer (or combined indexer / search head) that you plan to send data to.

Note: Later on, after we guide you through installing and configuring the TA-VC, we provide instructions to validate that the configuration changes to set the timezone were performed correctly. For now, assume that they are fine and continue the install.

Time zone stanza examples

For the following examples, we are creating / editing a props.conf file located in the following directory:

$SPLUNK_HOME/etc/apps/Splunk_TA_vcenter/local/props.conf
Example 1. We use the vSphere Client to look at a vCenter Server in Los Angeles.
  • In the "Hosts and Clusters" view we see that the VC instance name (root folder) has the value "vmware-vc1.company.com".
  • We also get "(UTC-08:00) Pacific Time (US & Canada)" by typing systeminfo | findstr /C:"Time Zone" at the command prompt. The corresponding time zone defined in the TZ Database is "America/Los_Angeles", so we add the following two lines to props.conf on each indexer:
[host::vmware-vc1.company.com]
TZ = America/Los_Angeles
Example 2. We use the vSphere Client to look at a different vCenter Server in Taipei, Taiwan.
  • In the "Hosts and Clusters" view we see that the VC instance name (root folder) has the value "vmware-vc2.company.com".
  • This Windows machine is set to display in Chinese characters. We see a dialog box pop up that shows the timezone as "(UTC+08:00) 台北" by typing control.exe timedate.cpl at command prompt. The corresponding time zone defined in the TZ Database is "Asia/Taipei", so we add the following two lines to props.conf on each indexer:
[host::vmware-vc2.company.com]
TZ = Asia/Taipei
Last modified on 13 April, 2015
Modifying configuration files   Controlling data volumes

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters