Splunk® App for VMware (Legacy)

Configuration Guide

Acrobat logo Download manual as PDF


On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Configure and deploy the Splunk App for VMware

Configure and deploy the Splunk App for VMware either as a single-server deployment or as a distributed deployment.

Single-server Splunk Enterprise deployment

In a single-server deployment, install Splunk App for VMware on the main Splunk indexer or search head. The data collection node communicates with this Splunk Enterprise instance to collect vCenter Server API data. This is the basic installation we cover in the Installation Guide.

Distributed Splunk Enterprise deployment

In a distributed deployment, install Splunk App for VMware on the search head. Install the add-ons on your indexers. The data collection node forwards the data to the indexers. Use the search head to search the data and to view the app dashboards.

An example simple deployment of Splunk App for VMware

A typical deployment contains the following components.


Component Description
vCenter Server The VMware vCenter Server system that manages your virtual infrastructure. It monitors and manages the ESXi hosts in your environment. The Splunk App for VMware uses the VMware vSphere API to get data from vCenter Server. The data collection node communicates with the vCenter Server API to collect data. Install a Splunk Universal Forwarder on vCenter Server to collect vCenter Server data.
ESXi hosts Virtual hosts that run on the VMware ESXi hypervisor architecture. vCenter Server monitors and manages these hosts.
Splunk Enterprise search head Install the Splunk App for VMware on a search head running Splunk Enterprise version 6.2.0 or later, and use Splunk Web to run searches on the data and view the app dashboards. The default scheduled searches run on the search head to query data on the indexers. The search head stores the search results for later use or displays the results in the app dashboards. The app contains the UI components, the searches, and the indexing definitions for your vCenter Server data. The app installation includes the Distributed Collection Scheduler (SA-Hydra version 4.0.2) and SA-Utils version 3.5.0. Splunk App for VMware cannot schedule jobs without the SA-Hydra component.
Splunk indexer A Splunk Enterprise instance, version 6.2.0 or later. Install all of the Splunk App for VMware add-ons on one or more indexers.
Data Collection Node (DCN) Makes API calls to the vCenter Server to collect data from it. The DCN must have network access both to your vCenter server and the search head that hosts the Distributed Collection Scheduler. You can create a DCN or use the Splunk-provided OVA template to deploy a Data Collection Node in your VMware vSphere environment. The DCN OVA file is preconfigured with:
  • a version of CentOS that is supported by Splunk Enterprise version 6.2.0 or later
  • a Splunk Enterprise heavy forwarder, version 6.3.1 or later.
  • the data collection components, SA-Hydra version 4.0.2, SA-Utils version 3.5.0, and Splunk_TA_vmware.
Distributed Collection Scheduler (DCS) Runs on the Splunk search head where you installed the Splunk App for VMware. Using one or more Data Collection Nodes, it orchestrates API data collection from vCenter server. After you deploy a DCN, use the Collection Configuration dashboard to configure the DCN for data collection. In large, complex Splunk Enterprise deployments, you can install the Distributed Collection Scheduler on a dedicated Splunk Enterprise instance to distribute the data collection load.

What you can do with your deployment using this manual

Once you have the deployment described above, use this Configuration Guide to build a deployment that best meets your needs.

Last modified on 22 June, 2016
  NEXT
Learn more and how to get help

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters