Collect data from your environment
Now that you have the Splunk App for VMware installed, configure it to collect data from the VMware resources in your environment. Once configured you can validate that you are collecting the full set of data you specified and that the data being collected is correct.
In Splunk Web on the search head, from the app menu, select VMware. The VMware app is displayed. Got to Settings >Collection Configuration to navigate to that dashboard.
Add a data collection node
Data collection nodes are managed by the Distributed Collection Scheduler. You can add data collection nodes to the Distributed Collection Scheduler and configure worker processes on each node. Each time you access a node, the credentials for Splunk and the add-ons on that node are validated . Do this for each data collection node on an individual basis.
To add a node:
- On the Collection Configuration dashboard, in the Data collection node panel, click + to add a new data collection node to register it with your Distributed Collection Scheduler.
- Configure this node to collect data from your environment using the Create new Collection Node dialog. The node is not configured with default settings.
- Enter the management URI to the Splunk forwarder on the data collection node. Specify the full management URI of the Splunk installation. This is comprised of the protocol (https is required), the address, and the port number for the management URI. For example,
https://testnode1:8089
. Port 8089 is the default management port for a Splunk forwarder (not a universal forwarder). - Splunk Forwarder Username: The default username is
admin
. - Splunk Forwarder Password: The default password is
changeme
. Note that when deploying the data collection node, you were prompted to change the Splunk admin default password. - Worker processes: A number from 1 to 8, that reflects the number of processes you want to run on the data collection node to process the data and forward it to the indexer(s). For more information see "Splunk data collection node resource requirements".
- Enter the management URI to the Splunk forwarder on the data collection node. Specify the full management URI of the Splunk installation. This is comprised of the protocol (https is required), the address, and the port number for the management URI. For example,
- Click Save to add a new node and display it on the dashboard.
- Validate that the node is configured correctly: You configured the node correctly if the node box has a green check mark in it, Credential validation passed (green check box), and Add-on Validation passed (green check box).
Add a Virtual Center
Add a Virtual Center and configure it as a source of data in your environment. Do this for each Virtual Center on an individual basis.
Note: When you add or remove a vCenter from your environment, stop and restart the Distributed Collection Scheduler.
To add a Virtual Center:
- On the Collection Configuration dashboard, in the Virtual Centers panel, click + to add a new Virtual Center.
- Configure Virtual Center settings using the Collect from New Virtual Center dialog.
- Enter the fully qualified domain name for the virtual center: For example,
test-vcenter100.example.com
- Enter a VC Username: for example
administrator
as a local user,splunkadmin@splunk.local
as an Active Directory domain user. - Enter a VC password: The password you use to access the vCenter.
- Collect VC logs is disabled by default. Select the box to enable data collection. To collect vCenter log data provide the following information:
- Enter the VC Splunk forwarder URI: For example,
https://test-vcenter100:8089
- Enter the VC Splunk forwarder Username: For example, the default
admin
. - Enter the VC Splunk forwarder password: For example, the default password
changeme
. When you installed the forwarder on the vCenter server, you were prompted to changed the Splunk admin default password.
- Enter the VC Splunk forwarder URI: For example,
- Collect from all hosts is enabled by default. The app collects performance data from all hosts unless you change the configuration settings. Check the box to disable data collection from all hosts managed by the Virtual Center. In this case you can specify from which hosts you want to collect data. To specify collection from specific hosts, enter a regular expression in the Host whitelist Regex field.
- Enter the fully qualified domain name for the virtual center: For example,
- Click Save to add a new vCenter and display it on the dashboard.
- Validate that the vCenter is configured correctly: You configured the vCenter correctly if the vCenter box has a green check mark in it, and credential validation passed (green check box).
- Select the magnifying glass beside the hosts field to validate that the hosts specified are included in the data collection configuration and others not meeting the requirements are in the Excluded Hosts list. A Managed Hosts dialog is displayed showing the list of included and excluded hosts.
- Click Close.
Start the Distributed Collection Scheduler
When you have your environment configured to collect data, click Start Scheduler. The Distributed Collection Scheduler starts the data collection process and data is collected from the resources in your environment. For more information about the Distributed Collection Scheduler, see "The Distributed Collection Scheduler" in this manual.
Note: To edit configuration settings see "Advanced configuration" in this manual.
Advanced configuration
Configure hosts
For a configured vCenter, if a new host is aded to your environment, it is automatically picked up by the app. You have options to collect data from all hosts or to collect data only from specific hosts.
Whitelisting or blacklisting hosts
- After configuring a Virtual Center to work with Splunk for VMware, on the Collection Configuration dashboard, in the Virtual Centers panel, select the pencil to edit Virtual Center settings.
- To collect performance data from all hosts, leave the box Collect from all hosts checked.
- To specify the hosts that you want to collect data from, uncheck the box, Collect from all hosts, and use the whitelist and blacklist fields to define your data collection. Use regular expressions to filter your data collection.
- For example, if you have 4 hosts (host01.company.com, host02.company.com, host03.company.com, and host04.company.com). To collect data from host01 and host02 only, in the Host whitelist Regex field, enter the following regular expression:
0[12]
.
- For example, if you have 4 hosts (host01.company.com, host02.company.com, host03.company.com, and host04.company.com). To collect data from host01 and host02 only, in the Host whitelist Regex field, enter the following regular expression:
- Click Save to return to the configuration page.
- Now select the magnifying glass beside the hosts field to validate that you are collecting data only from the hosts specified. A Managed Hosts dialog is displayed showing the list of host that match the criteria and those that do not are displayed in the excluded hosts list. Now click Close.
Edit data collection node settings
To edit the configuration of your data collection node:
- On the Collection Configuration dashboard, in the data collection nodes panel, select the required node box, then select the pencil.
- You can the properties for the node, then click Save to update the configuration.
Delete a data collection node
Deleting a data collection node unregisters it from your Distributed Collection Scheduler. It will no longer process data or forward data to your Splunk indexer.
To remove a data collection node from the Distributed Collection Scheduler configuration:
- On the Collection Configuration dashboard, in the data collection nodes panel, select the required node box, then select the Trash can.
- Confirm that you want to delete the node.
- The node icon is removed from the panel in the dashboard.
Edit Virtual Center settings
To Edit Virtual Center settings:
- On the Collection Configuration dashboard, in the VirtualCenter panel, select the required vCenter, then select the pencil.
- You can the properties for the node, then click Save to update the configuration.
Delete a Virtual Center
Deleting a Virtual Center stops data collection from this machine your VMware environment.
Note: When you add or remove a vCenter server from your environment, stop and restart the Distributed Collection Scheduler.
To delete a Virtual Center
- On the Collection Configuration dashboard, in the Virtual Center panel, select the vCenter server, then select the Trash can.
- Confirm that you want to delete the Virtual Center, then click Save.
- The vCenter server icon is removed from the panel in the dashboard.
Upgrade | Launch Splunk Web |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1
Feedback submitted, thanks!