Install the Splunk App for VMware in a distributed deployment
Search Head Cluster environments
Versions 3.2.0 and later of the Splunk App for VMware support search head cluster (SHC) environments. See the image below for guidance on how the Splunk App for VMware is deployed across an SHC environment.
Prerequisites
- For Search Head Clustering, you need a minimum of 3 instances of Splunk Enterprise to serve as search head cluster members, and one additional instance that serves as a deployer, which you use to distribute apps and updated configurations to the cluster members.
- The data collection node (DCN) scheduler must be deployed on a dedicated search head, and not on any individual search head in the SHC.
- Each search head cluster member should be fresh install of Splunk and not re-purposed splunk instance.
- You have migrated your settings from a Search Head Pool to a Search Head cluster. For more information, see Migrate from a search head pool to a search head cluster in the "Splunk Enterprise Distributed Search Manual".
- You have a licensed version of Splunk Enterprise installed and running in your environment.
- You have access to the Splunk App for VMware and permission to install it.
- You have configured your deployment's Data Model properties, located in datamodels.conf on your indexers.
- You must use the search head cluster deployer to distribute your configurations across your set of search head cluster members.
Install the Splunk App for VMware in a search head cluster environment
1. Take the file splunk_app_vmware-<version>-<build_number>.zip that you downloaded from Splunkbase and put it in a temporary directory. This avoids overriding critical files.
cp splunk_app_vmware-<version>-<build_number>.zip /tmp
2. Change to the /tmp directory, and unzip the app package.
cd /tmpunzip splunk_app_vmware-<version>-<build_number>.zip
3. Copy the unzipped files and move into your deployer's apps folder inside the shcluster folder.
cp -r etc/apps/* $SPLUNK_HOME/etc/shcluster/apps/
4. Verify that all of the apps and the sub directories were copied correctly and reside in the $SPLUNK_HOME/etc/shcluster/apps folder.
SA-Hydra/…SA-Utils/…SA-VMW-LogEventTask/…splunk_for_vmware/…Splunk_TA_vcenter/…SA-Threshold/…SA-VMW-HierarchyInventory/…SA-VMW-Performance/…Splunk_TA_esxilogs/…Splunk_TA_vmware/…
5. On your deployer, deploy the Splunk App for VMware app onto any member of your SHC.
./splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
6. Restart Splunk in each of the locations where you installed the app. For both Windows and Unix instructions, see "Start and stop Spunk" in the Splunk Admin Manual.
Distributed deployment component reference table
The below tables display and describe the individual components of a distributed deployment of the Splunk App for VMware. Refer to these tables to install the Splunk App for VMware on your distributed deployment.
Install components
This table describes where to install the individual components of Splunk App for VMWare in your distributed environment.
| Component | Search head | Scheduler | Indexer | DCN | ESXi log Fwd | vCenter log Fwd |
|---|---|---|---|---|---|---|
| Splunk_TA_vmware | ✔ | ✔ | ✔ | ✔ | ||
| Splunk_TA_esxilogs | ✔ | ✔ | ✔ | |||
| Splunk_TA_vcenter | ✔ | ✔ | ✔ | |||
| SA-VMW-LogEventTask | ✔ | |||||
| SA-VMW-Performance | ✔ | |||||
| SA-VMW-HierarchyInventory | ✔ | |||||
| splunk_for_vmware | ✔ | ✔ | ||||
| SA-Hydra | ✔ | ✔ | ✔ | |||
| SA-Utils | ✔ | ✔ | ✔ | |||
| SA-Threshold | ✔ |
Reference this table to see the Splunk App for VMware components that are installed and where the components get installed in the Splunk Enterprise and VMware infrastructure.
| Component name | Description |
|---|---|
| Search head | If you have a dedicated search head, install all of the components on it. Be sure to install SA-Hydra and SA-utils as you can not schedule jobs without them. |
| Indexer | Install all TA components on a dedicated indexer. |
| Data Collection Node | The data collection node OVA ships with all components installed on it. To build your own data collection node, install Splunk_TA_vmware on the DCN. |
| Esxi host | Install the log forwarding technology on the ESXi host. If you use an intermediate heavy forwarder to forward logs, install Splunk_TA_esxi_logs on the forwarder. |
| vCenter server | Only install the log forwarding technology on the vCenter server. If you use a universal forwarder or light forwarder to forward vCenter logs, install TA_vcenter on it as it contains scripts that configure the inputs.conf.
|
| License Master | Follow detailed instruction to set a VMware license to work with a remote license master. |
Component locations
| Component name | Description | |
|---|---|---|
| Splunk app for VMware | This component contains the UI components and knowledge objects of the app. Install it on the indexers and search heads in your VMware environment. It contains the following components in etc/apps:
| |
| Splunk TA for VMware vCenter (Splunk_TA_vcenter) | This component collects vCenter log data and forwards it to the indexer(s) in your environment. Install it on the Splunk Forwarder (UF/HF) running on your vCenter machines. If you use a light forwarder, you do not need to use this component. | |
| Splunk forwarder for VMware (Splunk_TA_vmware) | Use this component to create your own data collection node (DCN). It is shipped as part of the pre-configured OVA. When creating your own data collection node install it on a Splunk light forwarders or heavy forwarder on your data collection node. This app component makes API calls to vCenter to collect VMware API data and forwards that data to your Splunk indexer/search head. This data includes performance, inventory, hierarchy, and tasks and event data. The DCN collects API data directly from vCenter. The data collection node does not make API calls to ESXi hosts. | |
| The data collection node OVA | This is the pre-configured virtual machine distributed as an OVA to collect API data from your environment. This image of a centOS virtual machine includes the following components:
|
Learn More
- For an overview of search head clustering, see "Search head clustering architecture" in the "Splunk Enterprise Distributed Search Manual".
- See Deploy a search head cluster in the "Splunk Enterprise Distributed Search Manual" for more information on how to install, configure and deploy a search head cluster.
- See "Use the deployer to distribute apps and configuration updates" in the "Splunk Enterprise Distributed Search Manual".
- For more information on how to configure the Splunk App for VMware in a complex deployment, click here.
| Download and install Splunk App for VMware | Assign user roles for Splunk App for VMware |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.2.0, 3.2.1, 3.2.2
Download manual
Feedback submitted, thanks!