Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Installation checklist

Now that you have read the check list and prepared for the software installation (see the Preparation checklist) you can install Splunk for VMware. This installation check list is a quick review of all the items you must install to get the Solution working in your environment.

The Checklist

  1. Install Splunk App for VMware. Transfer the App package file, splunk_app_vmware-<version>-<build_number>.zip to each indexer and search head in your environment. Install it using using the same user account that you used to install Splunk on your systems.
  2. Install the Splunk Technology Add-on for VMware vCenter, Splunk_TA_vcenter-<version>-<build_number>.zip on the vCenter machines from which you want to collect log data .
  3. Download and Install a Splunk forwarder (the universal forwarder or light forwarder): Install this forwarder onto the same Windows machine on which vCenter Server resides and enable forwarding to forward the data to your central Splunk indexer.
  4. Create an outputs.conf file (if one does not already exist) on each forwarder on a vCenter machine to send VMware data to your indexers.
  5. Set up your props.conf file on your indexer(s)/search head(s) with the appropriate time zone information. See Set the time zone for vCenter log files in this manual for more information.
  6. Install the Splunk Forwarder Virtual Appliance for VMware (FA VM), splunk_for_vmware_forwarder_appliance_<version>-<build_number>.ova. Deploy the OVA as a VM in your VMware environment with the correct virtual machine resource settings (see Preparation Checklist).
    1. Check that the network adapter for the VM is on a network that can see all vCenter Servers and unmanaged ESXi hosts and that the network can also see the Splunk Indexers. For more information on how to do this, see Install the FA VM.
    2. Once deployed, log into the FA VM as the splunkadmin user.
    3. Goto VMware's website and download the VMware vSphere SDK for Perl 5.1 (64bit for linux), VMware-vSphere-Perl-SDK-5.1.0-780721.x86_64.tar.gz and copy (scp) it onto the FA. See Install the Perl API package in this manual.
    4. Configure the default properties for the FA VM. Within the OS you can configure non-DHCP network settings and change other default settings. Follow the instructions in the topic "Configure the default properties for the FA VM" to change the default properties. You can:
      • Change the default passwords.
      • Set the FA VM's OS hostname.
      • Set the "OS hostname"-related settings in the FA VM's Splunk instance.
      • Set static IP addresses.
      • Set the timezone in the FA VM.
      • Change the NTP server pool list.
    5. Run logincreator.pl with the appropriate parameters to automatically create service accounts, if accounts do not already exist. To learn more, see Create service accounts in this manual. Run the command with the help option to see more details:
      ~$ perl logincreator.pl --help.
    6. Run enginebuilder.py to automatically create the engine.conf files used by the Perl modules. The engine.conf files specify the data to collect from your VMware environment. Note that enginebuilder.py does not support unmanaged hosts. To learn more, see Configure data collection in this manual.
    7. Set up forwarders on your FA so that the data you collect can be sent to the indexers. See Configure forwarding on your FA to configure the outputs.conf file to forward VMware data to a destination indexer.
    8. Run credentials.pl to obfuscate passwords in the configuration files if you don't want to store them as clear text. Do this after you have generated the configuration files. Optionally remove the passwords from your engine.template file.

Configure distributed search and forwarding

Each environment is configured differently. Use the Splunk product documentation to set up the forwarders you need and to make decisions about how you want to configure them for your particular use. The forwarders and the VC are set up to forward data to the indexers. Add search heads as peers to your indexers.

Last modified on 12 May, 2013
Preparation checklist   Deployment considerations

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 2.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters