Splunk® App for VMware (Legacy)

Installation and Configuration Guide

Acrobat logo Download manual as PDF


On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Plan your deployment

To deploy the Splunk App for VMware you must deploy the app components on a network that has access to vCenter.

App Configuration

This topic discusses the app components required to support your environment needs.

  • API data collection - We recommend a ratio of 40 ESXi hosts to one data collection node at the recommended resources. See Resource requirements in this manual.
  • Syslog data collection - We recommend that you have your own Syslog server to which ESXi hosts send data. Configure the Syslog server to forward data to the Splunk indexers. Alternatively you can send logs from the ESXi hosts to Splunk intermediate forwarders and then forward that data to your indexers.
  • Splunk configuration - At expected data volumes for the Splunk App for VMware, you must configure your Splunk indexers appropriately. To do this, see the Splunk Enterprise documentation for Introduction to capacity planning for Splunk Enterprise and Splunk App for VMware indexing data volumes in this manual.

For more information on performance requirements of the app and the data collection node, see the Systems requirements topic in this manual.

Storage

As with all Splunk deployments, it is important to have sufficient disk space to accommodate the volume of data processed by your indexers. Splunk for VMware indexes approximately 300 MB per day for each ESXi host.

For more information on what to consider regarding your data storage and data volume requirements using Splunk, see Estimate your storage requirements in the Splunk Capacity Planning Manual.

Licensing

You must have a Splunk Enterprise license and accept the End User License Agreement (EULA) presented for the Splunk App for VMware to work in your environment. Licensing requirements are driven by the volume of data your indexer processes. Your Splunk Enterprise license and Splunk for App for VMware license must both be larger than the volume of VMware data indexed in the Splunk App for VMware.

Refer to the "Storage considerations" section above to determine your licensing volume. Contact your Splunk sales representative to purchase additional license volume or inquire about free trial licensing.

Refer to "How Splunk licensing works" in the Splunk Admin Manual for more information about Splunk licensing.

Using Deployment server

You can use deployment server to deploy your app, but before you do so, please read and understand the install instructions in this manual.

To deploy the app using deployment server:

  1. Download the Splunk App for VMware. See Download the Splunk App for VMware in this manual for instructions.
  2. Get the file splunk_app_vmware-<version>-<build_number>.zip from the download package and put it in a location in your environment.
  3. Unzip the app package file to a temporary location. All of the app components that you need reside in the folder etc/apps.
  4. Read the Component distribution table to understand where each app component goes.
  5. For each intermediate forwarder that you use for syslog data:
    1. Enable the desired port on the forwarder. Use either TCP 1514 or UDP 514.
    2. Refer to the final step in the topic To use an intermediate forwarder in this manual that discussed how to configure inputs.conf. In the example we use TCP port 1514. You can do the same for UDP using port 514. In the topic To use an intermediate forwarder in this manual you will learn whether you can use UDP or TCP.
    3. If you are using your own Syslog server to collect and store log data you must modify Splunk_TA_esxilogs to make the data compatible with the other VMware data in the app. See Use your own syslog server in this manual to understand what modifications to make before deploying Splunk_TA_esxilogs
  6. If you want to create your own data collection nodes, see Get a data collection node in this manual to step you through the process, otherwise you can use the Splunk provided OVA that you can download from Splunk Apps. After you have deployed the required configuration files on the Splunk instances on the data collection nodes, you must change the default Splunk admin password.
Last modified on 03 November, 2014
PREVIOUS
System Requirements 		  NEXT
Installation checklist

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.0, 3.0.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters