Splunk® App for VMware (Legacy)

Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Deploy Splunk App for VMware in an indexer cluster deployment

An indexer cluster is a group of of Splunk Enterprise indexers configured to replicate each others' data so that the system keeps multiple copies of all of the data. This process is known as index replication. Cluster deployments promote disaster recovery as they maintain multiple, identical copies of the data. This deployment also promotes high availability of the data for searching.

An overview of indexer clusters

An indexer cluster contains the following nodes:

  • A single master node to manage the cluster. The master node is a special type of indexer.
  • Several peer nodes that handle the indexing function for the cluster, indexing and maintaining multiple copies of the data and running searches across the data.
  • One or more search heads to coordinate searches across all of the peer nodes.

There are additional configuration steps, beyond what's needed for a stand-alone indexer, for setting up a cluster. See "About clusters and index replication" in Managing Indexers and Clusters.

Before you set up an indexer cluster, see "Key differences between clustered and non-clustered deployments".

Configure an indexer cluster for Splunk App for VMware

When you configure an indexer cluster for Splunk App for VMware, you add indexes to make VMware data available to the cluster. Splunk App for VMware uses the "_internal" and the "_audit" indexes by default.

Note: To add a new index to a cluster, edit the indexes.conf file. You can not add an index using Splunk Web or the CLI. See "Configure the peer indexes".

Before you configure a cluster for Splunk App for VMware, make sure that your environment meets the following requirements:

  • Your environment has at least one deployed indexer cluster. See "Deployment overview".
  • Apps are distributed across all of the peers in your environment. See "How to distribute apps to all the peers".
  • Splunk App for VMware is installed on the search head, master nodes, and search peers under the $SPLUNK_HOME/etc/apps directory.
  • Delete SA-Utils from the master-apps directory before issuing the 'apply cluster-bundle' command. If SA-Utils is deployed, it will prevent the UI on any indexers from starting up.
  • The master node, the peer nodes, and the search head for a clustered environment are enabled. See Deploy a cluster.
  1. Determine which replication factor you want to implement. The replication factor is the number of copies of raw data that the cluster maintains. It must be less than or equal to the number of search peers, which are also called slave nodes.
  2. On the master node in $SPLUNK_HOME/etc/master-apps/_cluster/local/indexes.conf, add the new indexes vmware-beta, vmware, vmware-perf, vmware-inv, vmware-taskevent, vmware-vclog, vmware-esxilog and set the the repFactor attribute to auto for each index. This attribute enables the index data to be replicated to other peers in the cluster.
    [vmware-beta]
    repFactor=auto
    [vmware]
    repFactor=auto
    [vmware-perf]
    repFactor=auto
    [vmware-inv]
    repFactor=auto
    [vmware-taskevent]
    repFactor=auto
    [vmware-vclog]
    repFactor=auto
    [vmware-esxilog]
    repFactor=auto
  3. On the master node, log in to Splunk Web or use the CLI.
  4. Distribute the configuration bundle to the search peers in $SPLUNK_HOME/etc/master-apps. This distribution updates $SPLUNK_HOME/etc/slave-apps/_cluster/local/indexes.conf on all the search peers and adds the index configuration to the master node.
  5. (Optional) Distribute apps to all peers and share them across the cluster.
    1. Add each app under $SPLUNK_HOME/etc/master-apps/<app-name>.
    2. Distribute the following Splunk App for VMware components to all search peers.
      /Splunk_TA_vmware
      /Splunk_TA_esxilogs
      /Splunk_TA_vcenter
      /SA-Hydra
      /SA-Utils
    3. On the search peers, verify that the app files exist in $SPLUNK_HOME/etc/slave-apps/<app_name>. See How to distribute apps to all peers.

After you set up the cluster for Splunk App for VMware, set up the data collection nodes. See "Get a data collection node". Review the data collection nodes and verify that the VMware data is forwarded to the indexers in the cluster.

After you configure the indexers and data collection nodes for Splunk App for VMware in a cluster, log in to Splunk Web on the search head to view the Splunk App for VMware dashboards and use Splunk App for VMware.

Sharing apps in a cluster

The master node distributes new or edited configuration files or apps across all the peers.

For example, to share a saved search across the peer nodes, add the saved search to $SPLUNK_HOME/etc/master-apps/<app-name>/. Update the savedsearches.conf file. Log in to Splunk Web on the cluster master and push the configuration bundle. After you update savedsearches.conf, view the apps in $SPLUNK_HOME/etc/slave-apps/<app-name>/.

See "Update common peer configurations and apps" for more information on sharing apps in a cluster.

Managing configuration changes

After you distribute the set of peers to Splunk App for VMware, launch and manage Splunk App for VMware on each peer with Splunk Web. See "Managing app configurations and properties" in the Splunk Enterprise Admin Manual.

Last modified on 15 September, 2015
Use the Distributed Collection Scheduler to collect data from all hosts   Manage data collection

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1.1, 3.1.2, 3.1.3, 3.1.4


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters