Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

What data can I get

The vCenter database contains many different types of data about the virtual environment. Information is stored about the managed entities (for example, data center, cluster, host, VM, and so on), about the relationships between the objects in the environment (how they are physically arranged and managed in relation to one another), and performance data for specific inventory objects. This is just some of the information that is stored. It contains performance statistics for VMs and hosts. vCenter logs contain basic information about vCenter and the database. Logs for other components are not on the vCenter server. Splunk for VMware collects data from the resources and maps it to Splunk App for VMware and gives you a window into the data enabling you to explore and work with the data in the ways you want.

The data in your VMware environment is collected by the the engine.conf file. Specific actions are defined for each target machine indicating the type(s) of data to be collected for that machine.

The data we Splunk

The following VMware environment data types are collected by Splunk for VMware:

  1. Inventory data: This data contains information about specific inventory objects in vSphere, such as properties. This includes managed entities, which are top-level inventory objects (such as data center, cluster, host, VM, and so on), inventory "sub-components" (such as vNICs, vHBAs, and so on), and other useful data ( for example, software components and version information). This data is collected by the “InventoryDiscovery” action in the engine.conf file.
  2. Hierarchy data: This is information about the relationships between the different kinds of inventory objects (explained above) and how they structured hierarchically in vSphere for management purposes. In short, this represents the “tree view” that can be found on the left side of the “Host and Clusters” view (or "Inventory" view) in the vSphere Client when pointed at a VC machine (or at an indivdual ESX/i host). It mainly contains the relationships between top-level inventory objects (known as “managed entities”). It does not contain information about the inventory objects themselves. This is the kind of data collected by the “HierarchyDiscovery” action listed in an engine.conf file.
  3. Performance data: This is the performance data collected in the solution. Performance data is generally associated with a particular inventory object – whether it is a managed entity (e.g. data center, cluster, host, VM, etc.) or an inventory sub-component (e.g. vNIC, vHBA). There are several major categories of performance data, including CPU, memory, network, storage, etc. Performance data can be found in the "Performance" tab of the vSphere Client when pointed at a VC machine or at an individual ESX/i host. This is the kind of data collected by the “PerfDiscovery” action listed in an engine.conf file.
  4. Tasks data : These are actions that you perform in the system such as creating a VM or powering down a host. In the vSphere Client (when pointed at a vCenter machine or at an individual ESX/i host) you can look at the Recent tasks panel and you can see a task history on the Tasks & Events tab. This data is collected by the “TaskDiscovery” action in the engine.conf file.
  5. Events data: This data contains notifications of things that happen in the system either as a result of tasks, or ongoing operations. These are also called VMware events so as to not confuse them with Splunk events ( the data that Splunk captures and makes searchable from any source, not just VMware). You can find VMware event histories in the Tasks & Events" tab of the vSphere Client when pointed at a VC machine or at an individual ESX/i host. This data is collected by the “EventDiscovery” action in the engine.conf file.
  6. Logs data: These are log files generated by the various VMware components, such as vCenter and ESX/i hosts. This data is collected by the LogDiscovery action in the engine.conf file for ESX/i hosts. Note that log data from vCenter is gathered using the VC Add-on. It is not gathered using engine.conf.
  7. Time data: This data about the current time on each VC or ESX/i host is collected automatically from VC machines. The engine automatically gathers this data from each ESX/i host that has a stanza in engine.conf. You do not need to explicitly list an action.
Last modified on 20 September, 2012
About Splunk for VMware   How data is collected

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters