Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Preparation checklist

The Preparation checklist identifies the resources you must have and the information you must know before installing the Solution.

Get ready to install

  1. Check your system requirements. See System Requirements for a list of requirements.
    1. Check that the Solution works with the Splunk version you are running.
    2. Check that the Solution works with the vCenter server and ESX/i version you are running
    3. Check that you have enough resources to run the FA VM
    4. Check that you have the latest FA VM version
    5. Download the required 3rd-party software
  2. Check storage and licensing requirements. Read the topic Deployment Considerations to get more insight into the storage and licensing requirements for your data, what drives the data volume for the solution, and what affects performance.
  3. Check that you are connected to a network and have access through firewalls to the machines included as part of the Solution. This is a requirement for successfully completing the installation and configuration of the App.
  4. Ensure you have Splunk Search heads, Indexers, and forwarders installed in your environment.
    1. Verify you have a Splunk Indexers and Search heads set up onto which you can install the Solution. Verify that your data license can handle the volume of data in the Splunk for VMware Solution (over 1 GB/day for each ESX/i host). To download Splunk go to http://www.splunk.com. To find out how the search head operates in a distributed environment read "what is distributed search" in the Splunk product documentation. This topic also also shows some distributed search scenarios. Also see "Install a dedicated search head" in the Splunk product documentation.
    2. See "Install Splunk forwarders" as part of the Pre-deployment tasks in this manual.
  5. Plan your deployment and know your environment and what you want the solution to monitor. For more information, see the topic Plan your deployment.
  6. Before you deploy Splunk for VMware, know your VMware datacenter location and the resources with which to deploy the Splunk Forwarder Virtual Appliance for VMware.
    1. In general each Forwarder Appliance should monitor no more than 500 VMware Virtual Machines by limiting the number of ESX/i hosts in each Forwarder Appliances configuration.
    2. For a VMware installation larger than this you will need to deploy more than one Forwarder Appliance. Deploy each Forwarder Appliance with the following virtual machine resources:
      • 4 vCPU w/ normal "shares" and a 2048MHz "reservation" Limit-unlimited
      • 4 GB memory w/ normal "shares" and a 128 MB "reservation" Limit-unlimited
  7. Download the Splunk for VMware solution components from Splunkbase. For more information on what to download for the Solution to work, see "Go to Splunkbase" in this manual.
    1. Download the the full suite zip file , splunk_app_vmware-1.0.0-127207.zip to your Splunk search heads. It includes the supporting add-ons, domain add-ons, technology add-ons, and apps that make up the Solution.
    2. From the same zip file extract everything from etc/deployment-apps onto the etc/apps directory of your Splunk indexers.
    3. Download Splunk Forwarder Virtual Appliance for VMware, splunk_for_vmware_forwarder_appliance-1.0.0-120606a.ova and deploy it as a VM in your environment. Ensure it has the necessary network connectivity to the ESX/i hosts and vCenter.
    4. Download the vcenter add-on zip file, Splunk_TA_vcenter-1.0.0-127097.zip onto a Splunk forwarder (UF/HF) running on vCenter machines.
  8. Set up forwarders on your vCenter machine.Modify an existing outputs.conf file if you have a Splunk indexer(s) and Splunk forwarder that already work in your environment or create a new outputs.conf file to set up forwarding on a new indexer so that you can send VMware data to the indexer. For instructions, see Set up forwarders on your vCenter machine in the Configure outputs.conf topic.
  9. Download the 3rd party components
    1. Using your separate VMware account, download the vSphere SDK for Perl 5.0 Update 1 release, the Perl API package into your splunk_for_vmware_forwarder_appliance-1.0.0-120606a.ova to access the vSphere API. This is the package that you previously installed onto the "Splunk Forwarder Virtual Appliance" in the steps above.
    2. Download Sideview Utils on the search heads where the App is installed to ensure that the dashboards within the App are correctly displayed.
  10. Create or confirm your service accounts and permissions
    1. Make a list of the vCenter Servers and ESX/i hosts you want to monitor.
    2. Make a list of the usernames and passwords that provide sufficient access to these VCenter Servers and ESX/i hosts, see Create Service accounts in this manual.
    3. To automatically create user accounts with correct permissions on the ESX/i hosts use the logincreator.pl tool on the Forwarder Appliance. You must have the FA VM deployed and turned on in your environment to create service accounts using logincreator.pl.
    4. Manually create service accounts.
      1. Make local users on your Windows OS (vCenter) machines.
      2. Make local users on your ESX/i hosts.
      3. Make users in ActiveDirectory.
      4. Create roles on each vCenter and each ESX/i host independently.
      5. Assign users to roles.
      6. Now that you have have service accounts set up on each VC and ESX/i host in your environment, you can verify that you set up your user credentials correctly for each one.
Last modified on 05 September, 2012
Plan your deployment   Installation checklist

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters