Splunk® App for VMware

Installation and Configuration Guide

Acrobat logo Download manual as PDF


On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of VMW. Click here for the latest version.
Acrobat logo Download topic as PDF

Splunk App for VMware Architecture

This topic describes the technologies that work together to enable the Splunk App for VMware to bring you value through your data. The app uses Splunkd to index and process your data and the SplunkWeb application server to enable you to search and navigate your data using the Splunk App for VMware components (knowledge objects, saved searches, dashboards). The app unlocks the true value in your IT data and maps it to the dashboards.

Solution Architecture (updated VCS)-1.png

To collect API data you need a Splunk indexer/search head with the Splunk App for VMware apps installed on it. This includes the main app, the technology add-ons, and the support add-ons. You also need the scheduling components (usually installed on the Indexer/search head) that manage and orchestrate data collection tasks for the API data. This scheduler works with the data collection nodes.

The data collection nodes make the API calls to collect the data from your VMware vSphere environment. The data collection node is a light forwarder or heavy forwarder with certain app components installed on it. These app components are available as part of the splunk_forwarder_vmware download (Splunk_TA_vmware, SA-Hydra, SA-Utils, Splunk_TA_esxilogs). Get them from here if you want to build your own data collection node. The data collection nodes run worker processes that retrieve the data. These worker processes are implemented as modular inputs.

  • Splunk_TA_vmware is the data collection component of the data collection node.
  • SA-Utils contains the support files for SA-Hydra and Splunk_TA_vmware.
  • SA-Hydra runs the worker processes on the data collection node.
  • Splunk_TA_esxilogs collects log data from your Esxi log hosts.

The data collection node sends data to your indexers only after the scheduler is turned on and configured to start data collection.


App components

Component name Description
Splunk App for VMware This component contains the user interface components and knowledge objects of the app. Install it on the indexers and search heads in your VMware vSphere environment.
Splunk TA for VMware vCenter (Splunk_TA_vcenter) This component collects vCenter log data and forwards it to the indexer(s) in your environment. Install it on a universal forwarder or heavy forwarder running on your vCenter machines.
Splunk forwarder for VMware (Splunk_TA_vmware, SA-Hydra, SA-Utils, Splunk_TA_esxilogs) Use this app component to create your own data collection node (DCN). It is shipped as part of the preconfigured OVA. This app component makes API calls to VMware vCenter to collect VMware API data directly from the VMware vCenter. It forwards the data to your indexer/search head. This data includes performance, inventory, hierarchy, and tasks and event data. The data collection nodes do not make API calls to Esxi hosts.

Impact on vCenter

The data collection requirements of the Splunk App for VMware cause a 10% to 15% increase in Virtual Center CPU utilization. This is a manageable and expected increase in CPU utilization. The increase in VMware vCenter CPU utilization (resulting from the data collection activities of the Splunk App for VMware) correlates with the processing of jobs run by the scheduler to support Splunkd, splunk python process, and other miscellaneous system operations.

Last modified on 03 April, 2014
PREVIOUS
New to Splunk
  NEXT
Setup Requirements

This documentation applies to the following versions of Splunk® App for VMware: 3.0, 3.0.1, 3.0.2


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters