Splunk® App for VMware (Legacy)

Configuration Guide

Acrobat logo Download manual as PDF


On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Filter log data collection

You can filter vCenter Server log data and ESXi log data using nullqueue. nullQueue discards the data when TA-vmware receives it from the vCenter Server forwarder. Adjust the content of props.conf to filter data to reduce the volume of data you are indexing. The content in props.conf works with the content in transforms.conf to route sourcetypes to nullQueue; transforms.conf performs the actual routing.


Filter vCenter server log data example

1. To filter vCenter Server log data, locate the props.conf file for Splunk_TA-vcenter on the universal or heavyweight forwarder on the vCenter Server. You need to find the props.conf that exists on the forwarder or indexer that parses events.

  • If the forwarder on the vCenter Server is a heavyweight forwarder, open its props.conf for editing.
  • If the forwarder on the vCenter Server is a universal forwarder, find the heavyweight forwarder operating as an intermediate forwarder, or the indexer that parses events, then open its props.conf for editing.

2. In the props.conf file, uncomment the transforms-routing attributes which determine how to route the vpxd events.

For sourcetype = vmware:vclog:vpxd, uncomment as per the following:

#TRANSFORMS-null1 = vmware_vpxd_level_null
#TRANSFORMS-null4 = vmware_vpxd_retrieveContents_null
#TRANSFORMS-null5 = vmware_vpxd_null


For sourcetype = vmware:vclog:vpxd-alert, uncomment as per the following:

#TRANSFORMS-null2 = vmware_vpxd_level_null,vmware_vpxd_level_null2


For sourcetype = vmware:vclog:vpxd-profiler, uncomment as per the following:

#TRANSFORMS-null3 = vmware_vpxd_level_null,vmware_vpxd_level_null2

Filter ESXi logs example

This example filters ESXi logs to send events with sourcetype=vmware:esxlog:sfcb-vmware to nullqueue.

1. To filter ESXi logs, locate and open the props.conf file for Splunk_TA_esxilogs on the intermediate forwarder for syslog data. You need to find the props.conf that exists on the forwarder or indexer that parses events.

  • If the syslog forwarder is a heavyweight forwarder, open its props.conf for editing.
  • If the syslog forwarder is a universal forwarder operating as an intermediate forwarder, find the heavyweight forwarder or the indexer that parses events, then open its props.conf for editing.

2. In the props.conf file, create an entry as per the following:

[vmw-syslog]
TRANSFORMS-z_nullqueue = sfcb_to_null

3. Locate and open the transforms.conf for Splunk_TA_esxilogs.

4. Splunk Enterprise filters data based on sourcetype at index time. To filter the data by sourcetype, create an entry as per the following:

[sfcb_to_null]
SOURCE_KEY = MetaData:Sourcetype
REGEX = vmware:esxlog:sfcb-vmware
DEST_KEY = queue
FORMAT = nullQueue

The transform routes the syslog events based on the string sfcb-vmware in a syslog event.


For more information on nullQueue, see Filter event data and send it to queues.

Last modified on 22 June, 2016
PREVIOUS
Manage data collection
  NEXT
Configure performance metrics collection

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters