Set up a data collection node

To collect data from your VMware vSphere environment with Splunk App for VMware, choose one of the data collection node options.

• Use the Data Collection Node OVA. See "Size and deploy the Data Collection Node OVA" in the Installation Guide.
• Build a data collection node. See "Data collection node requirements" and "Build a data collection node."

Note: If the Splunk App for NetApp Data ONTAP version 2.0.1 or above is installed in your environment, get the latest SA-Hydra and SA-Utils version from the Splunk App for Vmware 3.0.2 or above and overwrite the existing versions of SA-Hydra and SA-Utils on the NetApp ONTAP data collection node. The data collection node is not automatically updated when you install the latest version of the Splunk App for VMware.

Data collection node requirements

A data collection node requires four virtual cores to collect data from approximately 40 ESXi hosts.

Your system must meet the following requirements.

• Four cores. 4 vCPUs or 2 vCPUs with two cores with a reservation of 2GHz.
• 6GB memory with a reservation of 1GB.
• 4-10GB of disk space.

You can build a data collection node and configure it for your environment. Create and configure this data collection node on a physical machine or as a virtual machine image to deploy into your environment using vCenter.

Build a data collection node

To build a data collection node virtual machine, follow the guidelines set by VMware to create the virtual machine and to deploy it in your environment.

1. Install a CentOS or RedHat Enterprise Linux version that is compatible with Splunk Enterprise version 6.0.1 or later.

2. Install Splunk Enterprise version 6.0.1 or later, and configure it as a light forwarder.

You cannot use a Splunk universal forwarder.

3. Install splunk_forwarder_for_vmware-<version>-<build_number>.zip.

4. Copy the file splunk_forwarder_for_vmware-<version>-<build_number>.zip from the download package to $SPLUNK_HOME.

5. Unzip splunk_forwarder_for_vmware-<version>-<build_number>.zip from $SPLUNK_HOME.

6. Verify that the data collection components SA-Utils, SA-Hydra, Splunk_TA_vmware, and Splunk_TA_esxilogs exist in $SPLUNK_HOME/etc/apps.

7. Verify that the firewall ports are correct. The DCN communicates with splunkd on port 8089.

The DCN communicates with the scheduler node on port 8008.

After you deploy the collection components, add the forwarder to your distributed collection scheduler. See "Configure the data collection node to collect data" in the Installation Guide.

Set up forwarding to the same port that the Splunk indexer uses. See "Set up forwarding and receiving" in the Splunk Enterprise Forwarding Data manual.

The default credentials for the Splunk user are admin/changeme. To access splunkd on this forwarder from the scheduler, change the password. Use the following command for this forwarder.

Enable troubleshooting logs

After you create a data collection node, enable logging to troubleshoot DCN issues. Enabling this type of logging on the DCN does not contribute to the indexing tally on your Splunk Enterprise license.

1. On your DCN, create a directory under $SPLUNK_HOME/etc/apps/splunk-app-for-vmware_31/etc/apps/SA-Hydra called local.

2. Copy the outputs.conf file from SA-Hydra/default, then paste it into the .../SA-Hydra/local directory.

3. Open the SA-Hydra/local/outputs.conf file.

4. Convert the following lines from comments into code:

[tcpout]

forwardedindex.3.whitelist = _internal