Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Is data coming in

Have you installed the Solution correctly and do you have the right data coming into Splunk? Do you know if your data is displayed correctly in the views and dashboards of the App?

All of this information is available in the views on the App Install health dashboard. You can validate the integrity of your data by examining the status of your environment on this dashboard in the Splunk App for VMware. Select Settings > App Install Health to get to this dashboard.

Is your data being forwarded to Splunk

To check that you have correctly set up your forwarders to forward data:

  1. In the Forwarder Appliance(s) over last 4 hours view, check that all the forwarder appliances that you have as part of the Solution are included in the list.
  2. Select each forwarder appliance in the list individually, and check that the Forwarder Appliance summary displays data for each.
  3. Verify that your VI-Perl SDK has a value for each forwarder appliance. If it does not, then you must reinstall the Perl API package as it did not install correctly.

To check that you have correctly set up your vCenters:

  1. In the vCenter Forwarder(s) count over last 4 hours view, check that all the vCenters from where you installed the vCenter add-on show up in the list.
  2. Select each vCenter individually to ensure that the Virtual Center summary shows data for all vcenters.

Are you collecting the correct type of data

On the App Install health view, look at the sourcetypes last received status to check that you are gathering the correct type of data ( inventory, hierarchy, performance, ESX/ESXi Log data, tasks and events, log data), that it has been indexed recently and that it was sent within a recent timeframe.

For hierarchy and performance data, check that the relevant lookups have populated correctly. See Lookups in SA_HiearchyInventory Addon that must be populated and Lookups in SA_Performance Addon that must be populated. Also look at the Current Hierarchy Data and Current Entity Data views.

Searches to run to validate performance data results

  1. Check that data has been coming in for the last 15 minutes:
    index=vmware sourcetype=vmware:perf
  2. Four types of data are displayed - ClusterComputeResourcePerf, HostSystemPerf, ResourcePoolPerf, and VirtualMachinePerf.
    index=vmware sourcetype=vmware:perf | stats count by source
  3. Shows a breakdown of all hosts that are sending performance data and the types of data they are sending. ClusterComputeResourcePerf should only be returned by the Virtual Center hosts.
    index=vmware sourcetype=vmware:perf | stats values(source) by host


ESX/ESXi Log data

To check ESX log data by host:

  1. To ensure that you are collecting ESX/ESXi log data for each ESX/ESXi host you are monitoring, run:
    index=vmware sourcetype=vmware:esxlog:* | stats count by host
  2. To ensure that you are collecting ESXi log data for each ESXi host you are monitoring, run:
    index=vmware sourcetype=vmware:esxilog:* | stats count by host

Tasks and Events Data

Check tasks and events by host:

  1. To display all the hosts (including VCs) from which you are receiving task data, run:
    index=vmware sourcetype=vmware:task | stats count by host
    1. Check that all the hosts included in your splunked environment are listed.
  2. To display all the events (including VCs) from which you are receiving task data, run
    index=vmware sourcetype=vmware:event | stats count by host
    1. Check that all the events in your splunked environment are listed.

VC Log Data

  1. For all vCenter servers from which data is being collected, look at "Virtual center forwarding status" to see that data is being received.
  2. Check that VC Log data is collected correctly, click on the vclog data sourcetype and drill down to get more detailed information.
Last modified on 22 January, 2013
Launch Splunk Web   Save the VM as a template

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 2.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters