About configuration files
Configuration files referenced in this manual
file name | Description |
---|---|
outputs.conf | Configure an outputs.conf file for this Splunk FA VM to send the data that you collect from your environment to a Splunk indexer. To learn more about outputs.conf see the spec and configuration files in the Splunk Admin manual. Also see Configure forwarders with outputs.conf in the Splunk Distributed Deployment manual.
|
engine.conf | The engine.conf file is a configuration file created on the FA VM to collect machine data. You configure this engine.conf file to collect data from your VMware environment and to forward the data from the machines you are splunking in your VMware environment to the Splunk indexer/search head. This file is read by "the engine", the main data collection module inside the FA VM. Individual stanzas in engine.conf correspond to VC machines or ESX/i hosts to query for data. Within a stanza, actions correspond to the type(s) of data to query, while intervals and other settings correspond to data gathering frequency. This file is responsible for defining:
You must have service account(s) created and the associated credentials, before creating the engine.conf file(s). |
inputs.conf | This file is used to start up an instance of engine.pm. Engine instances are run by Splunk based on the stanzas found in the inputs.conf file. Multiple engines can run concurrently. The inputs.conf file is used to start up an instance of the engine (the main data collection module inside the FA Add-on). Engine instances are run by Splunk based on the stanzas found in the inputs.conf file. Specifically, you must create a "scripted input" that calls the engine and takes the absolute path of the engine.conf file as an argument. To learn more about inputs.conf , see the spec and configuration files in the Splunk Admin manual. Also see Configure your inputs in the Splunk Getting Data in manual.
|
props.conf | This correctly sets the timezone for vCenter (VC) log files as they do not contain time zone information. A light forwarder (LF) or universal forwarder (UF) does not parse events to get a timestamp. This is done by the indexers. However, the log data sent by the VC Add-on does not include timezone information which can cause problems when indexers do not reside in the same timezone as the forwarder. To resolve this issue, you must add timezone information to props.conf on the indexers.
The |
server.conf | modify the "serverName" setting in the server.conf file. Substitute the current value with the same value that you set in the inputs.conf file (e.g. "splunkfa1"):
serverName = splunkfa1. You can change the NTP servers that your FA VM uses by editing the /etc/ntp.conf file. |
Data collection in one engine.conf file | engine.conf settings |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 1.0, 1.0.1, 1.0.2, 1.0.3, 2.0
Feedback submitted, thanks!