Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

The data we collect

What data can I get

The vCenter database contains many different types of data about the virtual environment. Information is stored about the managed entities (for example, data center, cluster, host, VM, and so on), about the relationships between the objects in the environment (how they are physically arranged and managed in relation to one another), and performance data for specific inventory objects. This is just some of the information that is stored. It contains performance statistics for Virtual Machines and hosts. Virtual Center logs contain basic information about Virtual Center and the database. Logs for other components are not on the vCenter server. Splunk for VMware collects data from the resources and maps it to Splunk App for VMware enabling you to explore and work with the data in the ways you want.

Data collection from Virtual Center is managed by the scheduler in conjunction with the data collection nodes. The exception to this is the collection of syslog data from hosts and the collection of vCenter log data.

CIM compliance

Splunk for VMware now complies with the Common Information Model (CIM). See the Splunk documentation on how to "Understand and use the Common Information Model" in the Knowledge Manager Manual. CIM is a system for categorizing data from different sources and across different domains. The Splunk App for VMware implements the Common Information Model to apply a search time schema to IT data, incorporate it in the dashboards, and correlate it across different source types and domains.

When you add sourcetypes for your data to Splunk for VMware, refer to the core Splunk CIM documentation to ensure that you follow the requirements for data processing to CIM standards.

The data we Splunk

The following VMware environment data types are collected by Splunk for VMware:

Data source Data type Description
API Inventory data This data is collected from vCenter and contains information about specific inventory objects in vSphere, such as properties. This includes managed entities, which are top-level inventory objects (such as data center, cluster, host, VM, and so on), inventory "sub-components" (such as vNICs, vHBAs, and so on), and other useful data ( for example, software components and version information).
API Hierarchy data This is information about the relationships between the different inventory object types and how they are structured hierarchically in vSphere for management purposes. Hierarchy information is represented as a “tree view” on the left side of the “Host and Clusters” view (or "Inventory" view) in the vSphere Client, when pointed at a Virtual Center (or at an indivdual ESX/i host). It mainly contains the relationships between top-level inventory objects (known as “managed entities”). It does not contain information about the inventory objects themselves. This data is collected as...
API Performance data Performance data is collected from the ESX and ESX/i hosts. There are several major categories of performance data including CPU, memory, network, and storage. Performance data can be found in the "Performance" tab of the vSphere Client when pointed at a Virtual Center or at an individual ESX/i host. This data is collected by...
API Tasks data Tasks data is collected from vCenter.Tasks are actions that you perform in the system such as creating a Virtual Machine or powering down a host. In the vSphere Client (when pointed at a vCenter machine or at an individual ESX/i host) you can look at the Recent tasks panel and you can see a task history on the Tasks & Events tab. This data is collected by...
API Events data Event data is collected from vCenter. This data contains notifications of things that happen in the system either as a result of tasks, or ongoing operations. These are also called VMware events so as to not confuse them with Splunk events ( the data that Splunk captures and makes searchable from any source, not just VMware). You can find VMware event histories in the Tasks & Events" tab of the vSphere Client when pointed at a Virtual Center or at an individual ESX/i host. This data is collected by...
logs on vCenter vCenter logs These are log files generated by the vCenter Server. This log data from vCenter is collected using the Splunk for vCenter add-on.
syslog ESX/i Server logs These are log files generated by the ESX and ESXi hosts. This data is collected by configuring the ESX/i hosts to send the logs to a syslog server (over the network).
Last modified on 26 September, 2013
VMware quick reference   Component reference table

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.0


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters