Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

How to upgrade

Upgrade for all Splunk for VMware versions prior to 1.0.1

If you have Splunk for VMware 1.0.0 installed:

  1. Upgrade to Splunk for VMware 1.0.3.
  2. Upgrade from Splunk for VMware version 1.0.3 to Splunk for VMware version 2.0.

Upgrade for Splunk for VMware 1.0.3 to version 2.0

Use these instructions to upgrade from Splunk for VMware version 1.0.3 to that latest software version, 2.0. Note: Splunk for VMware version 2.0 is only compatible with the VMware 5.1 Perl SDK. We do not support it with older versions of the VMware Perl SDK. When the App is installed you can configure it further using the instructions in the Solution Administration chapter in this manual.

Upgrade the Splunk App for VMware

To upgrade to version 2.0 of Splunk App for VMware on the search head/indexers, replace the existing files with the new installation. Follow the installation instructions for the App. See Install the App in the Splunk for VMware Installation and Configuration Guide.

Note for advanced users: If you have customized your summary index searches in your local directory, then as part of the upgrade process you must:

  1. Install the Splunk App for VMware 2.0.
  2. Verify your changes to apps/SA-VMW-Performance/local/savedsearches.conf are still valid, you may need to remake the changes to the newer saved searches if upgrading from 1.0.2 or below.

Upgrade the Splunk Technology Add-on for VMware vCenter

To upgrade to the Splunk Technology Add-on for VMware vCenter, version 2.0, replace the existing files with the new installation. Follow the installation instructions at Install the vCenter Add-on in the Splunk for VMware Installation and Configuration Guide.

Upgrade the Splunk Technology Add-on for VMware

You can upgrade the data collection engine of the Forwarder Virtual Appliance for VMware (FA VM) without having to standup a new FA VM. The 1.0.3 version of the FA VM is compatible with the 2.0 Splunk App for VMware, however to use this FA, install the latest data collection engine ( Splunk_TA_vmware) on your FA and then optionally run enginebuilder.py to recreate the configuration files that collect the data in your VMware environment from vCenter. Rerunning enginebuilder.py>/code> changes the performance data collection to use a reduced set of metrics thereby reducing the data volume.

  1. Log in to your search head/indexer.
  2. Simultaneously log into your FA VM.
  3. Stop Splunk on the FA VM.
    splunk stop
  4. Copy the contents of the the $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/… directory on the search head/indexer to the existing $SPLUNK_HOME/etc/apps/Splunk_TA_VMware directory of your Splunk install on the FA. Use recursive copy to copy all of the files and all of the sub-directories.
  5. Look in $SPLUNK_HOME/etc/apps/Splunk_TA_VMware on the FA to verify that the files were copied correctly.
  6. Start Splunk on your FA VM.
    splunk start

You have now upgraded to the latest Splunk_TA_vmware.

To reduce your data volume

We recommend that you follow these instructions after updating Splunk_TA_vmware to limit metric collection for performance data. This will reduce your data volume by only using the recommended set of metrics specified in the App. and run enginebuilder.py to regenerate your engine.conf files.

  1. On the FA VM, stop Splunk.
    splunk stop
  2. Go to the Splunk_TA_vmware/local directory.
    cd $SPLUNK_HOME/etc/apps/Splunk_TA_VMware/local
  3. Optionally, if you customized the engine files in your local directory, back up the engine files to save the changes you made.
  4. Run enginebuilder.py on the existing engine.template file that contains all the information about your environment. Use the -c option to run a default credentials check.
    enginebuilder.py -c
  5. Start splunk
    splunk start

If you limit the set of metrics you use from what you were using before, we recommend that you modify the associated lookup files in the app for a better experience on performance views. This:

  • prevents additional metrics from displaying in the menu drop downs even if you no longer collect them.
  • prevents warning messages associated with missing thresholds from being displayed.

To modify the lookup files:

  1. Allow the solution to run for at least 1 hour.
  2. Log into your search head.
  3. Run the following search over a timerange of "last 60 minutes":
    index=summary_vmware source="SummaryVirtMachinePerfByMeidInstance15min*" type="VirtualMachine" | getfieldnames | makemv delim="," fieldnames | eval fieldnames=mvfilter(match(fieldnames, "^(?!(date|_|info|splunk|source|index|search|time|host|isvc|vc|path|Datacenter|Cluster|HostSystem|physicalhost|datacentermoid|clustermoid|hostsystemmoid|instanceUuid|uuid|typeduipath|uipath|moid|type|name|perftype|linecount|instance|meid|clustermeid|hostsystemmeid|datacentermeid))")) | eval instance=if(instance="Aggregated","no","yes") | stats values(fieldnames) as fields by meid,perftype,instance,_time | `makesv(fields)` | sort 0 meid, perftype, instance, _time | dedup meid,perftype,instance,fields consecutive=t | sort 0 -_time | outputlookup VMFieldList
  4. Now run this search over a timerange of "last 60 minutes":
    index=summary_vmware source="SummaryHostSystemPerfByMeidInstance15min" type="HostSystem" |getfieldnames |reverse|makemv delim="," fieldnames| eval fieldnames=mvfilter(match(fieldnames, "^(?!(date|_|info|splunk|source|index|search|time|host|isvc|vc|path|Datacenter|Cluster|HostSystem|physicalhost|datacentermoid|clustermoid|hostsystemmoid|instanceUuid|uuid|typeduipath|uipath|moid|type|name|perftype|linecount|instance|meid|clustermeid|hostsystemmeid|datacentermeid))")) |eval instance=if(instance="Aggregated","no","yes")| stats values(fieldnames) as fields by meid,perftype,instance,_time | `makesv(fields)` | sort 0 meid perftype instance _time | dedup meid,perftype,instance,fields consecutive=t | sort 0 -_time | outputlookup HSFieldList
  5. These lookups will now only contain the metrics you are currently collecting.

Finalize the Upgrade

On the Splunk for VMware Setup page you perform the final steps to set up the App to work in your environment.

Note: By default the the old domain add-ons are disabled. You must select the option to delete them if you want to remove them from your environment.

  1. Start the Splunk app for VMware.
  2. Go to the Splunk Manager Apps page.
  3. From the Splunk main menu, select App > Manage apps....
  4. For the VMware app, under Actions, click Set up.
  5. Optionally, in the Finalize setup section of the page, check Disable/delete old add-ons if you want to delete all depreciated Domain Add-ons in your environment.
  6. Click Save.
  7. You have now completed your upgrade to 2.0.

Last modified on 23 January, 2013
Why upgrade   Clean up older installations

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters