Splunk® App for VMware (Legacy)

Installation and Configuration Guide

Acrobat logo Download manual as PDF


On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Get a collection node

To collect data from your VMware environment you can either:

Note: If the Splunk App for NetApp Data ONTAP version 2.0.1 or above is installed in your environment, get the latest SA-Hydra and SA-Utils version from the Splunk App for Vmware 3.0.2 or above and overwrite the existing versions of SA-Hydra and SA-Utils on the NetApp ONTAP data collection node. The data collection node is not automatically updated when you install the latest version of the Splunk App for VMware.

Use the Splunk for VMware OVA

To deploy the the data collection node into your VMware vSphere environment:

  1. On your Windows machine, open the vSphere client and log into vCenter Server.
  2. Invoke the OVA template wizard. Click File > Deploy OVF Template.
  3. In the Deploy OVF Template wizard click Deploy from a file or URL, then click Browse…
  4. Browse to the location of your OVA file, splunk_data_collection_node_for_vmware_<version>-<build_number>.ova, then click Next.
    Note: You can not download the file directly from the URL. Splunk Apps requires that you be authenticated via a supported web browser before you begin your download.
  5. Review the OVF template details, then click Next
  6. In the Name and Location screen provide a new name for the node virtual machine. (You can use the default name, if you want.)
  7. Select a data center or folder as the deployment destination for the node virtual machine, then click Next.
  8. On the Host / Cluster screen, select the specific host or cluster where you would like to run the node virtual machine, then click Next.
  9. In the Datastore screen, choose the datastore where you want the virtual machine and its filesystem to reside. The datastore can be from 4GB to 10GB. Click Next.
  10. On the Disk Format screen, select either Thin or Thick Provisioning, then click Next. We recommend thick provisioning.
  11. On the Network Mapping screen, to specify the networks that you want the deployed template to use. Use the Destination Networks menu to map your data collection node .ova template to one of the networks in your inventory.
  12. Validate your selections in the Ready to complete dialog, then select Next to begin deployment.
  13. Once deployed, click Close to complete the installation and exit the wizard.
  14. Resource your virtual machine according to the specifications in Splunk data collection node resource requirements.
  15. Locate the collection node virtual machine in the vSphere Client tree view.
  16. Right-click on the collection node virtual machine and choose Power > Power On from the menu to start the virtual machine. When you power on the data collection node, Splunk starts automatically even though the VMware data collection mechanism is not configured. By default, the node virtual machine boots and gets its network settings via DHCP. You can keep this default setting or you can set a static IP address. If you use DHCP, check the Summary tab in the vSphere client to get the IP address of the node virtual machine.
  17. To ssh into the data collection node use the default username and password (splunkadmin/ changeme). You automatically land in /home/splunkadmin.
  18. Splunk 6.0.1 is installed in /home/splunkadmin/opt.
  19. Set up forwarding to the port on which the Splunk indexer(s) is configured to receive data. See "Set up forwarding and receiving" in the Forwarding Data manual.
  20. The default password for Splunk's admin user is changeme. To access splunkd on this forwarder from the scheduler, change the default password. You can do this on the command line as follows:
./splunk edit user admin -password 'newpassword' -role admin -auth admin:changeme

Create your own data collection node

You can build a data collection node and configure it specifically for your environment. Create and configure this data collection node on a physical machine or as a virtual machine image to deploy into your environment using vCenter.

Build a data collection node

Whether you build a physical data collection node or a data collection node virtual machine, follow the steps below. To build a data collection node virtual machine, follow the guidelines set by VMware to create the virtual machine and to deploy it in your environment.

To build a data collection node:

  1. Install a CentOS or RedHat Enterprise Linux version that is supported by Splunk version 6.0.1 or later.
  2. Install Splunk version 6.0.1 or later configured at a minimum as a light forwarder (Python is required). Note you can not use a Splunk universal forwarder.
  3. Install splunk_forwarder_for_vmware-<version>-<build_number>.zip. Get the file splunk_forwarder_for_vmware-<version>-<build_number>.zip  from the download package and put it in $SPLUNK_HOME.
  4. Unzip this file (the data collection node components) from $SPLUNK_HOME. It automatically unzips into the $SPLUNK_HOME/etc/apps directory.
  5. Check that the data collection components SA-Utils, SA-Hydra, Splunk_TA_vmware, and Splunk_TA_esxilogs exist in /etc/apps.
  6. Check that the firewall ports are enabled. The data collection node communicates, by default, with splunkd on port 8089. It communicates with the scheduling node, by default on port 8008. These are the default ports. For more information on configuring firewall ports, see "Network settings" in this manual.
  7. After deploying the collection components, add the forwarder to your Distributed Collection Scheduler's configuration. See "Collect data from your environment" in this manual.
  8. For system compatibility information, see "Splunk data collection node resource requirements" in this manual.# Set up forwarding to the port on which the Splunk indexer(s) is configured to receive data. See "Set up forwarding and receiving" in the Forwarding Data manual.
  9. The default password for Splunk's admin user is changeme. For accessing splunkd on this forwarder from scheduler, you must change the password. You can use the following CLI for this forwarder.
./splunk edit user admin -password 'newpassword' -role admin -auth admin:changeme

Turn on troubleshooting logs

To assist in troubleshooting data collection issues, turn on logging on the data collection node when you first create the node. The data collected does not count against your Splunk license.

On your Data collection node:

  1. Create a local directory under SA-Hydra (SA-Hydra/local).
  2. Copy the outputs.conf file from SA-Hydra/default/outputs.conf to SA-Hydra/local/outputs.conf.
  3. Edit the local outputs.conf file to uncomment the following lines:
    [tcpout]
    forwardedindex.3.whitelist = _internal
Last modified on 02 December, 2016
PREVIOUS
Download the Splunk App for VMware from Splunk Apps 		  NEXT
Configure Operating System properties

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters