Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Component reference table

Component Distribution

Look at this table to see the individual app components to install in your environment.

Component Search head Indexer DCN ESXi log Fwd vCenter log Fwd License Master
Splunk_TA_vmware Y Y Y
Splunk_TA_esxilogs Y Y Y
Splunk_TA_vcenter Y Y Y
SA-VMW-LogEventTask Y
SA-VMW-Licensecheck Y Y
SA-VMW-Performance Y
SA-VMW-HierarchyInventory Y
splunk_for_vmware Y
SA-Hydra Y Y Y
SA-Utils Y Y Y Y
SA-Threshold Y

Component Distribution Notes

Component name Description
Search head If you have a dedicated search head, install all of the app components on it. SA-Hydra and SA-utils must be installed as you can not schedule jobs without it.
Indexer Install all technology add-ons on a dedicated indexer.
Data Collection Node The data collection node OVA ships with all apps installed on it. To build your own data collection node, install Splunk_TA_vmware (the python based API data collection engine) on it. ESXi log data and vCenter log data is not collected through the API and therefore does not use the data collection node.
Esxi host Install the log forwarding technology on the ESXi host. If you use an intermediate heavy forwarder to forward logs, install Splunk_TA_esxi_logs on the forwarder. A light forwarder or universal forwarder does not need this.
vCenter Only install the log forwarding technology on it. If you use a universal forwarder or light forwarder to forward vCenter logs, install TA_vcenter on it as it contains scripts that configure the inputs.conf.
License Master In a license master and license slave environment, install SA-VMW-Licensecheck and SA-Utils on a Splunk instance configured as a license master. SA-VMW-Licensecheck checks runs every night to report license usage for the Splunk App for VMware and reports on the indexing volume allowed for your license. You will get a violation warning if you exceed your allocated volume. You can view license usage using the App Data Volume dashboard.

App components

Component name Description
Splunk app for VMware This component contains the UI components and knowledge objects of the App. Install it on the indexers and search heads in your VMware environment. It contains the following components in etc/apps:
  • SA-Utils
  • SA-Hydra
  • SA-Threshold
  • SA-VMW-Performance
  • SA-VMW-HierarchyInventory
  • SA-VMW-Licensecheck
  • SA-VMW-LogEventTask
  • splunk_for_vmware
  • Splunk_TA_esxilogs
  • Splunk_TA_vmware
  • Splunk_TA_vcenter

etc/deployment-apps contains the following components:

  • SA-Utils
  • SA-Hydra
  • Splunk_TA_vmware
  • Splunk_TA_vcenter
  • Splunk_TA_esxilogs
Splunk TA for VMware vCenter (Splunk_TA_vcenter) This component collects vCenter log data and forwards it to the indexer(s) in your environment. Install it on the Splunk Forwarder (UF/HF) running on your vCenter machines.
Splunk forwarder for VMware (Splunk_TA_vmware) Use this app component to create your own data collection node (DCN). It is shipped as part of the preconfigured OVA. When creating your own data collection node install it on a Splunk light forwarders or heavy forwarder on your data collection node. This app component makes API calls to vCenter to collect VMware API data and forwards that data to your Splunk indexer/search head. This data includes performance, inventory, hierarchy, and tasks and event data. API data is collected directly from vCenter. The data collection node does not make API calls to ESXi hosts.
The data collection node OVA This is the pre-configured virtual machine distributed as an OVA to collect API data from your environment. The data collection node is shipped with two default user accounts and passwords; the admin account (splunkadmin / changeme) and root (root / changemenow). We encourage you to change the passwords. To do so, see change default passwords in this topic.This is an image of a centOS virtual machine with the following apps installed on it:
  • SA-Utils
  • SA-Hydra
  • Splunk_TA_vmware
  • Splunk_TA_vcenter
Last modified on 14 May, 2014
The data we collect   How Splunk for VMware works

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters