On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy).
For documentation on the most recent version, go to the latest release.
Install the Add-on
Install the Splunk Technology Add-on for VMware vCenter
You downloaded the Splunk Technology Add-on for VMware vCenter (TA-VC) from Splunkbase and you are now ready to install it.
To install the Add-on for vCenter
- Unzip the file,
"Splunk_TA_vcenter-<version>-<build_number>.zip", into the apps directory under%SPLUNK_HOME%\etc\apps. When installing on a universal forwarder the path isC:\Program Files\SplunkUniversalForwarder\etc\appsotherwise it isC:\Program Files\Splunk\etc\apps. - The new directory,
%SPLUNK_HOME%\etc\apps\Splunk_TA_vcenter, now contains the TA-vCenter files. - Using the windows command shell (or file explorer), create a "local" directory in
%SPLUNK_HOME%\etc\apps\Splunk_TA_vcenter.%SPLUNK_HOME%\etc\apps\Splunk_TA_vcenter\local
- Copy the
inputs.conffile from%SPLUNK_HOME%\etc\apps\Splunk_TA_vcenter\default\inputs.confto the new%SPLUNK_HOME%\etc\apps\Splunk_TA_vcenter\local\inputs.confdirectory. - Edit the
Splunk_TA_vcenter\local\inputs.conffile and setdisabled=false. Yourinputs.conffile should contain:[script://.\bin\SetHost.bat]disabled = false
- Save and close the file.
- Restart Splunk. For more information about starting, stopping, or restarting Splunk, see Start and stop Splunk in the Splunk Admin Manual. For example, you can go to
%SPLUNK_HOME%\binand run this command:> splunk restart
You can also restart Splunk using Windows services andSelect Start > Administrative Tools > Services > Splunkd restart.
You are now collecting data from your vCenter machines and you can forward the data from your vCenter to your Splunk Indexer/Search head.
Did you install successfully?
Look at the VMware Data Health views in the App to see if the correct data is being collected.. After you set up the Splunk Technology Add-on for VMware vCenter, you must allow some time (a few minutes) for the data to be collected and the views in the App to be populated.
To check your data:
- Launch Splunk Web in a browser using the default login (admin/changeme) if you have not already changed it.
- Click VMware on the Home page or choose Apps > VMware from the Home screen Apps menu.
- Click Solution Administration > Admin Data Health from the main navigation menu.
- In the Virtual center summary panel check that the vCenter is listed. Use the Virtual Center drop down to check for other vCenters you are splunking. If it is not listed, the TA-vcenter may not be configured correctly.
- Use the following search command to verify that the time zone is set correctly:
index=vmware sourcetype=vmware:vclog* | head 10 | rename _raw AS raw | table _time, raw- The raw field shows the local time of the vCenter server.
- Verify that the
_timefields show the corresponding local time of the indexer.
- You must restart the forwarder after resetting the time on your vCenter machine. Wait for the data to load, then look at the Time health view to verify that you are seeing an acceptable time.
- Check that you are collecting vCenter logs.
- In the Splunk App for VMware on the Solution Administration menu, look at the vCenter Server Log Data Health view. Check that your vCenter machine is listed with at least one log source. It may take some time for all of the views to populate. Wait for all of the sources or the two graphs at the end of the page will not yet be populated. vCenter logs are generally very large and take some time to transfer to Splunk.
Last modified on 09 May, 2013
| About the Add-on | About the FA VM |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 2.0
Download manual
Feedback submitted, thanks!