Splunk® App for VMware (Legacy)

Installation and Configuration Guide

Acrobat logo Download manual as PDF


On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Plan your deployment

To deploy the Splunk App for VMware you must deploy the app components on a network that has access to vCenter.

App Configuration

This topic discusses the app components required to support your environment needs.

  • API data collection - We recommend a ratio of 40 ESXi hosts to one data collection node (with a ratio of 25 to 30 virtual machines per host) at the recommended resources. See "Resource requirements" in this manual.
  • Syslog data collection - We recommend that you have your own Syslog server to which ESXi hosts send data. Configure the Syslog server to forward data to the indexers. Alternatively you can send logs from the ESXi hosts to intermediate forwarders and then forward that data on to your indexers.
  • Splunk Enterprise configuration - At expected data volumes for the Splunk App for VMware, configure your indexers appropriately. To do this, see "IntroductiontocapacityplanningforSplunkEnterprise" and "Splunk App for VMware indexing data volumes" in this manual.

For more information on performance requirements of the Splunk App for VMware and the data collection nodes, see "Systems requirements" in this manual.

Network settings

Enable firewall ports for communication between Splunk Enterprise and various components of the Splunk App for VMware.

splunkweb and splunkd

splunkweb and splunkd both communicate with your Web browser via REpresentational State Transfer (REST):

  • splunkd runs a Web server on port 8089 with SSL/HTTPS turned on by default.
  • splunkweb runs a Web server on port 8000 without SSL/HTTPS by default.

When you start Splunk it checks that the firewall ports 8089 and 8000 are enabled. If the default ports are already in use (or are otherwise not available), Splunk offers to use the next available port. You can configure port settings for Splunk in the server.conf file.

Communication between the Distributed Collection Scheduler and the data collection node

The Splunk App for VMware uses the gateway, implemented as part of the scheduling framework, to allocate jobs to the data collection nodes. The scheduling node that runs the Distributed Collection Scheduler, typically on the search head, communicates with all data collection nodes over port 8008 (default setting).

In your environment, if port 8008 is used by another service, you can configure another port for communication between the data collection node and the gateway.

All data collection nodes do not have to communicate on the same port. You can configure the ports in the default stanza to implement the port change for all data collection nodes, or you can set the ports on a per stanza basis to configure the port for each data collection node individually.

To set the port for the gateway, edit the configuration settings for the port on the scheduling node (usually implemented on the search head) in $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local/hydra_node.conf. The following is an example of the default setting for the app. 

[default]
gateway_port = 8008

The hydra gateway port, default value 8008, uses the SSL certs that Splunk Web uses. Splunk Enterprise generates these SSL certs by default, but you can override them in the web.conf file. The only information that travels machine-to-machine over the gateway port is hydra job assignment, configuration, and performance information. Hydra passes no credentials or session keys for the target environment though the gateway port. Credentials pass only through the storage/passwords endpoint on Splunkd on default port 8089.

Storage

As with all Splunk Enterprise deployments, allocate sufficient disk space to accommodate the volume of data processed by your indexers. The Splunk App for VMware indexes approximately 300 MB per day for each ESXi host.

For more information on data storage and data volume requirements using Splunk, see "Estimate your storage requirements" in the Splunk Enterprise Capacity Planning Manual.

Licensing

You must have a Splunk Enterprise license and accept the End User License Agreement (EULA) presented for the Splunk App for VMware to work in your environment. Licensing requirements are driven by the volume of data your indexer processes. Your Splunk Enterprise license and the Splunk App for VMware license must both be larger than the volume of VMware data indexed in the Splunk App for VMware.

See "Storage considerations" above to determine your licensing volume. Contact your Splunk sales representative to purchase additional license volume or inquire about free trial licensing.

See "How Splunk licensing works" in the Splunk Admin Manual for more information about Splunk licensing.

Last modified on 03 November, 2014
PREVIOUS
System Requirements 		  NEXT
Installation checklist

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1

Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters