Get a collection node
To collect data from your VMware environment you can either:
- Use the virtual machine created by Splunk and distributed as an Open Virtual Appliance (OVA) file. See the instructions in "Use the Splunk for VMware OVA" in this manual.
- You can create your own data collection node using the components we provide. See the instructions in "Create your own data collection node" in this manual.
Note: If the Splunk App for NetApp Data ONTAP version 2.0.1 or above is installed in your environment, get the latest SA-Hydra and SA-Utils version from the Splunk App for Vmware 3.0.2 or above and overwrite the existing versions of SA-Hydra and SA-Utils on the NetApp ONTAP data collection node. The data collection node is not automatically updated when you install the latest version of the Splunk App for VMware.
Use the Splunk for VMware OVA
To deploy the the data collection node into your VMware vSphere environment:
- On your Windows machine, open the vSphere client and log into vCenter Server.
- Invoke the OVA template wizard. Click File > Deploy OVF Template.
- In the Deploy OVF Template wizard click Deploy from a file or URL, then click Browse…
- Browse to the location of your OVA file,
splunk_data_collection_node_for_vmware_<version>-<build_number>.ova
, then click Next.- Note: You can not download the file directly from the URL. Splunk Apps requires that you be authenticated via a supported web browser before you begin your download.
- Review the OVF template details, then click Next
- In the Name and Location screen provide a new name for the node virtual machine. (You can use the default name, if you want.)
- Select a data center or folder as the deployment destination for the node virtual machine, then click Next.
- On the Host / Cluster screen, select the specific host or cluster where you would like to run the node virtual machine, then click Next.
- In the Datastore screen, choose the datastore where you want the virtual machine and its filesystem to reside. The datastore can be from 4GB to 10GB. Click Next.
- On the Disk Format screen, select either Thin or Thick Provisioning, then click Next. We recommend thick provisioning.
- On the Network Mapping screen, to specify the networks that you want the deployed template to use. Use the Destination Networks menu to map your data collection node
.ova
template to one of the networks in your inventory. - Validate your selections in the Ready to complete dialog, then select Next to begin deployment.
- Once deployed, click Close to complete the installation and exit the wizard.
- Resource your virtual machine according to the specifications in Splunk data collection node resource requirements.
- Locate the collection node virtual machine in the vSphere Client tree view.
- Right-click on the collection node virtual machine and choose Power > Power On from the menu to start the virtual machine. When you power on the data collection node, Splunk starts automatically even though the VMware data collection mechanism is not configured. By default, the node virtual machine boots and gets its network settings via DHCP. You can keep this default setting or you can set a static IP address. If you use DHCP, check the Summary tab in the vSphere client to get the IP address of the node virtual machine.
- To ssh into the data collection node use the default username and password (
splunkadmin/ changeme
). You automatically land in/home/splunkadmin
. - Splunk 6.0.1 is installed in
/home/splunkadmin/opt
. - Set up forwarding to the port on which the Splunk indexer(s) is configured to receive data. See "Set up forwarding and receiving" in the Forwarding Data manual.
- The default password for Splunk's admin user is
changeme
. To access splunkd on this forwarder from the scheduler, change the default password. You can do this on the command line as follows:
Create your own data collection node
You can build a data collection node and configure it specifically for your environment. Create and configure this data collection node on a physical machine or as a virtual machine image to deploy into your environment using vCenter.
Build a data collection node
Whether you build a physical data collection node or a data collection node virtual machine, follow the steps below. To build a data collection node virtual machine, follow the guidelines set by VMware to create the virtual machine and to deploy it in your environment.
To build a data collection node:
- Install a CentOS or RedHat Enterprise Linux version that is supported by Splunk version 6.0.1 or later.
- Install Splunk version 6.0.1 or later configured at a minimum as a light forwarder (Python is required). Note you can not use a Splunk universal forwarder.
- Install
splunk_forwarder_for_vmware-<version>-<build_number>.zip
. Get the filesplunk_forwarder_for_vmware-<version>-<build_number>.zip
from the download package and put it in$SPLUNK_HOME
. - Unzip this file (the data collection node components) from
$SPLUNK_HOME
. It automatically unzips into the$SPLUNK_HOME/etc/apps
directory. - Check that the data collection components SA-Utils, SA-Hydra, Splunk_TA_vmware, and Splunk_TA_esxilogs exist in
/etc/apps
. - Check that the firewall ports are enabled. The data collection node communicates, by default, with splunkd on port 8089. It communicates with the scheduling node, by default on port 8008. These are the default ports. For more information on configuring firewall ports, see "Network settings" in this manual.
- After deploying the collection components, add the forwarder to your Distributed Collection Scheduler's configuration. See "Collect data from your environment" in this manual.
- For system compatibility information, see "Splunk data collection node resource requirements" in this manual.# Set up forwarding to the port on which the Splunk indexer(s) is configured to receive data. See "Set up forwarding and receiving" in the Forwarding Data manual.
- The default password for Splunk's admin user is
changeme
. For accessing splunkd on this forwarder from scheduler, you must change the password. You can use the following CLI for this forwarder.
Turn on troubleshooting logs
To assist in troubleshooting data collection issues, turn on logging on the data collection node when you first create the node. The data collected does not count against your Splunk license.
On your Data collection node:
- Create a local directory under SA-Hydra (
SA-Hydra/local
). - Copy the
outputs.conf
file fromSA-Hydra/default/outputs.conf
toSA-Hydra/local/outputs.conf
. - Edit the local
outputs.conf
file to uncomment the following lines:[tcpout]
forwardedindex.3.whitelist = _internal
Download the Splunk App for VMware from Splunk Apps | Configure Operating System properties |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1
Feedback submitted, thanks!