Splunk® App for VMware

Configuration Guide

Download manual as PDF

This documentation does not apply to the most recent version of VMW. Click here for the latest version.
Download topic as PDF

Set up a data collection node

To collect data from your VMware vSphere environment with Splunk App for VMware, choose one of the data collection node options.

Note: If the Splunk App for NetApp Data ONTAP version 2.0.1 or above is installed in your environment, get the latest SA-Hydra and SA-Utils version from the Splunk App for Vmware 3.0.2 or above and overwrite the existing versions of SA-Hydra and SA-Utils on the NetApp ONTAP data collection node. The data collection node is not automatically updated when you install the latest version of the Splunk App for VMware.

Data collection node requirements

A data collection node requires four virtual cores to collect data from approximately 40 ESXi hosts.

Your system must meet the following requirements.

  • Four cores. 4 vCPUs or 2 vCPUs with two cores with a reservation of 2GHz.
  • 6GB memory with a reservation of 1GB.
  • 4-10GB of disk space.

You can build a data collection node and configure it for your environment. Create and configure this data collection node on a physical machine or as a virtual machine image to deploy into your environment using vCenter.

Build a data collection node

To build a data collection node virtual machine, follow the guidelines set by VMware to create the virtual machine and to deploy it in your environment.

1. Install a CentOS or RedHat Enterprise Linux version that is compatible with Splunk Enterprise version 6.0.1 or later.

2. Install Splunk Enterprise version 6.0.1 or later, and configure it as a light forwarder.

You cannot use a Splunk universal forwarder.

3. Install splunk_forwarder_for_vmware-<version>-<build_number>.zip.

4. Copy the file splunk_forwarder_for_vmware-<version>-<build_number>.zip from the download package to $SPLUNK_HOME.

5. Unzip splunk_forwarder_for_vmware-<version>-<build_number>.zip from $SPLUNK_HOME.

6. Verify that the data collection components SA-Utils, SA-Hydra, Splunk_TA_vmware, and Splunk_TA_esxilogs exist in $SPLUNK_HOME/etc/apps.

7. Verify that the firewall ports are correct. The DCN communicates with splunkd on port 8089.

The DCN communicates with the scheduler node on port 8008.

After you deploy the collection components, add the forwarder to your distributed collection scheduler. See "Configure the data collection node to collect data" in the Installation Guide.

Set up forwarding to the same port that the Splunk indexer uses. See "Set up forwarding and receiving" in the Splunk Enterprise Forwarding Data manual.

The default credentials for the Splunk user are admin/changeme. To access splunkd on this forwarder from the scheduler, change the password. Use the following command for this forwarder.

./splunk edit user admin -password 'newpassword' -role admin -auth admin:changeme

Enable troubleshooting logs

After you create a data collection node, enable logging to troubleshoot DCN issues. Enabling this type of logging on the DCN does not contribute to the indexing tally on your Splunk Enterprise license.

1. On your DCN, create a directory under $SPLUNK_HOME/etc/apps/splunk-app-for-vmware_31/etc/apps/SA-Hydra called local.

2. Copy the outputs.conf file from SA-Hydra/default, then paste it into the .../SA-Hydra/local directory.

3. Open the SA-Hydra/local/outputs.conf file.

4. Convert the following lines from comments into code:

[tcpout]
forwardedindex.3.whitelist = _internal
Last modified on 28 September, 2016
PREVIOUS
Learn more and how to get help
  NEXT
Add, edit, or delete a data collection node

This documentation applies to the following versions of Splunk® App for VMware: 3.1.1, 3.1.2, 3.1.3, 3.1.4


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters