Install the Add-on

Install the Splunk Technology Add-on for VMware vCenter

You downloaded the Splunk Technology Add-on for VMware vCenter (TA-VC) from Splunkbase and are now ready to install it.

1. Unzip the file, "Splunk_TA_vcenter-1.0.1-130116.zip", into the apps directory under %SPLUNK_HOME%\etc\apps. The following is an example of how it can look:

C:\Program Files\SplunkUniversalForwarder\etc\apps
or
C:\Program Files\Splunk\etc\apps

2. A new sub-directory, "Splunk_TA_vcenter", now contains the TA-VC files.

%SPLUNK_HOME%\etc\apps\Splunk_TA_vcenter

3. Using the windows command shell (or file explorer), create a "local" directory in the expanded Splunk_TA_vcenter app

%SPLUNK_HOME%\etc\apps\Splunk_TA_vcenter\local

4. Copy the inputs.conf from Splunk_TA_vcenter\default\ to the new Splunk_TA_vcenter\local\ directory, for example, copy

%SPLUNK_HOME%\etc\apps\Splunk_TA_vcenter\default\inputs.conf

to

%SPLUNK_HOME%\etc\apps\Splunk_TA_vcenter\local\inputs.conf

5. In the Splunk_TA_vcenter\local\ directory, edit the inputs.conf file and set disabled=false. Save and close the file.




6. Restart Splunk. For more information about starting, stopping, or restarting Splunk, see Start and stop Splunk in the Splunk Admin Manual. For example, you can go to %SPLUNK_HOME%\bin and run this command:

> splunk restart

7. You can also restart Splunk using Windows services: Start>Administrative Tools> Services> Splunkd restart.
8. Open Splunk Web on the indexer and use the following search command to verify that the time zone is set correctly:

index=vmware sourcetype=vmware:vclog* | head 10 | rename _raw AS raw | table _time, raw

9. The raw field shows the local time of the vCenter server. Make sure to verify that the _time fields show corresponding local time of the indexer.

Now you have data from your vCenter machines being forwarded to the Splunk indexer/search head. This data is mapped to the Splunk for VMware app that contains sample views.

Did you install successfully?

Look at the VMware Data Health views in the App to see if the correct data is being collected.. After you set up the Splunk Technology Add-on for VMware vCenter, you must allow some time (a few minutes) for the data to be collected and the views in the App to be populated.

To check your data:

1. Launch Splunk Web in a browser. Use the default login (admin/changeme) if you have not already changed it.
2. Click VMware on the Home page or choose Apps > VMware from the Home screen Apps menu.
3. Click Solution Administration > Time Data Health Overview from the main navigation menu.
   1. In the Timekeeping Events panel, check that the vCenter is listed with the host identified by the VC instance name and it should have an acceptable time difference. If it is not, the TA-VC may not be configured correctly, or the clock on your vCenter Server may be set incorrectly. The time on the vCenter server must be set correctly for the solution to work.
   2. You must restart the forwarder after resetting the time on your vCenter machine. Wait for the data to load, then look at the Time health view to verify that you are seeing an acceptable time.
4. Check that you are collecting vCenter logs.
   1. In the Splunk App for VMware on the Solution Administration menu, look at the vCenter Server Log Data Health view. Check that your vCenter machine is listed with at least one log source. It may take some time for all of the views to populate. Wait for all of the sources or the two graphs at the end of the page will not yet be populated. vCenter logs are generally very large and take some time to transfer to Splunk.