Splunk® App for VMware (Legacy)

Installation and Configuration Guide

Acrobat logo Download manual as PDF


On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

System Requirements

Splunk requirements to run the app

  • Splunk version 5.0.4 or later running on Splunk indexers and search heads. See "System requirements" in the Splunk Installation Manual.
  • A default Splunk configuration with a licensing volume that can support approximately 300 MB of data per host per day.
  • Resource Splunk indexers according to Splunk best practices.

VMware versions Supported

  • VMware vSphere versions 4.1, 5.0, 5.0 Update 1, version 5.1, and version 5.5.
    • There is a bug in VMware vSphere version 5.0 and all updates to version 5.0. Two WSDL files required for the Splunk app for VMware to make API calls to vCenter are missing. During the installation process you are required to get the vSphere Web Services SDK WSDL workaround and put the files on vCenter.
  • ESXi 4.1, 5.0, 5.0 Update 1, 5.1 and 5.5 on 64-bit x86 CPUs.
  • vCenter servers configured in linked mode are supported. For vCenter servers in linked mode, treat each instance inside the linked pool individually and add them to the Collection Configuration dashboard, just like a normal vCenter. The App will gather API data only for the added vCenter and will not recognize the other vCenter servers in the linked pool unless they are also added to the Collection Configuration dashboard inside the app.

Note:

  • We do not support the Linux based vCenter Virtual Appliance to collect vCenter log data. API data can still be collected with the Linux vCenter Virtual Appliance. Syslog data is not affected by this limitation.

Browsers supported

The Splunk App for VMware supports the browser versions listed below:

  • Firefox (latest)
  • Internet Explorer 9 and 10
  • Safari (latest)
  • Chrome (latest)

Note: The Splunk App for VMware does not support IE 8 and does not work in IE 9 Compatibility mode.

Splunk App for VMware data volume requirements

Resulting from our tests of the Splunk app for VMware we have found that approximately 300 MB per host per day is a good estimate of what to expect from your environment. This can vary depending on your log volume and the number of virtual machines on a host. In a typical environment this number will be between 250MB-350MB. See the information below for further details.

  • Total vCenter logs: 15 MB per host per day per vCenter. For example, 750MB in a 50 host environment.
  • ESXi host logs: 185 MB per day per host. (In a typical environment this can lie between 135MB - 235MB, but can vary widely depending on your environment)
  • Total API per host: 10 MB per day per host.
  • Total API data per VM: 3 MB per day.

Splunk data collection node resource requirements

The default OVA provided as part of the download is pre-configured with resources set according to the requirements below. Follow the requirements listed below to configure your own data collection node.

Resource requirements

A single data collection node requires:

  • 4 cores - 4 vCPUs or 2 vCPUs with 2 cores with a reservation of 2 GHz.
  • 6GB memory with a reservation of 1 GB.
  • 4-10 GB of disk space. The default virtual machine that Splunk provides already has this set.

At these requirements, one data collection node can collect from 40 ESXi hosts. This is a safe recommendation. That is, 1 core per 10 ESXi hosts.

Software requirements

A single data collection node requires:

  • A Splunk supported version of CentOS or RedHat Enterprise Linux (RHEL) that is supported by Splunk version 5.0.4 or later.
  • A Splunk heavy forwarder or light forwarder, version 5.0 or later. This is a minimum Splunk requirement for the Splunk App for VMware. (Python is required.)
  • The Splunk for VMware app components SA-Hydra, SA-Utils, and Splunk_TA_vmware.
Last modified on 06 May, 2014
PREVIOUS
Setup Requirements
  NEXT
Plan your deployment

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.0.1


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters