Plan your deployment
To deploy the Splunk App for VMware you must deploy the app components on a network that has access to vCenter.
App Configuration
This topic discusses the app components required to support your environment needs.
- API data collection - We recommend a ratio of 40 ESXi hosts to one data collection node (with a ratio of 25 to 30 virtual machines per host) at the recommended resources. See "Resource requirements" in this manual.
- Syslog data collection - We recommend that you have your own Syslog server to which ESXi hosts send data. Configure the Syslog server to forward data to the indexers. Alternatively you can send logs from the ESXi hosts to intermediate forwarders and then forward that data on to your indexers.
- Splunk Enterprise configuration - At expected data volumes for the Splunk App for VMware, configure your indexers appropriately. To do this, see "IntroductiontocapacityplanningforSplunkEnterprise" and "Splunk App for VMware indexing data volumes" in this manual.
For more information on performance requirements of the Splunk App for VMware and the data collection nodes, see "Systems requirements" in this manual.
Network settings
Enable firewall ports for communication between Splunk Enterprise and various components of the Splunk App for VMware.
splunkweb and splunkd
splunkweb and splunkd both communicate with your Web browser via REpresentational State Transfer (REST):
- splunkd runs a Web server on port 8089 with SSL/HTTPS turned on by default.
- splunkweb runs a Web server on port 8000 without SSL/HTTPS by default.
When you start Splunk it checks that the firewall ports 8089 and 8000 are enabled. If the default ports are already in use (or are otherwise not available), Splunk offers to use the next available port. You can configure port settings for Splunk in the server.conf
file.
Communication between the Distributed Collection Scheduler and the data collection node
The Splunk App for VMware uses the gateway, implemented as part of the scheduling framework, to allocate jobs to the data collection nodes. The scheduling node that runs the Distributed Collection Scheduler, typically on the search head, communicates with all data collection nodes over port 8008 (default setting).
In your environment, if port 8008 is used by another service, you can configure another port for communication between the data collection node and the gateway.
All data collection nodes do not have to communicate on the same port. You can configure the ports in the default stanza to implement the port change for all data collection nodes, or you can set the ports on a per stanza basis to configure the port for each data collection node individually.
To set the port for the gateway, edit the configuration settings for the port on the scheduling node (usually implemented on the search head) in $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local/hydra_node.conf
.
The following is an example of the default setting for the app.
[default] gateway_port = 8008
The hydra gateway port, default value 8008, uses the SSL certs that Splunk Web uses. Splunk Enterprise generates these SSL certs by default, but you can override them in the web.conf
file. The only information that travels machine-to-machine over the gateway port is hydra job assignment, configuration, and performance information. Hydra passes no credentials or session keys for the target environment though the gateway port. Credentials pass only through the storage/passwords endpoint on Splunkd on default port 8089.
Storage
As with all Splunk Enterprise deployments, allocate sufficient disk space to accommodate the volume of data processed by your indexers. The Splunk App for VMware indexes approximately 300 MB per day for each ESXi host.
For more information on data storage and data volume requirements using Splunk, see "Estimate your storage requirements" in the Splunk Enterprise Capacity Planning Manual.
Licensing
You must have a Splunk Enterprise license and accept the End User License Agreement (EULA) presented for the Splunk App for VMware to work in your environment. Licensing requirements are driven by the volume of data your indexer processes. Your Splunk Enterprise license and the Splunk App for VMware license must both be larger than the volume of VMware data indexed in the Splunk App for VMware.
See "Storage considerations" above to determine your licensing volume. Contact your Splunk sales representative to purchase additional license volume or inquire about free trial licensing.
See "How Splunk licensing works" in the Splunk Admin Manual for more information about Splunk licensing.
System Requirements | Installation checklist |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1
Feedback submitted, thanks!