Splunk App for VMware Architecture
This topic describes the technologies that work together to enable the Splunk App for VMware to bring you value through your data. The app uses Splunkd to index and process your data and the SplunkWeb application server to enable you to search and navigate your data using the Splunk App for VMware components (knowledge objects, saved searches, dashboards). The app unlocks the true value in your IT data and maps it to the dashboards.
To collect API data you need a Splunk indexer/search head with the Splunk App for VMware apps installed on it. This includes the main app, the technology add-ons, and the support add-ons. You also need the scheduling components (usually installed on the Indexer/search head) that manage and orchestrate data collection tasks for the API data. The Distributed Collection Scheduler works with the data collection nodes.
The data collection nodes make the API calls to collect the data from your VMware vSphere environment. The data collection node is a light forwarder or heavy forwarder with certain app components installed on it. These app components are available as part of the splunk_forwarder_vmware download (Splunk_TA_vmware, SA-Hydra, SA-Utils, Splunk_TA_esxilogs). Get them from here if you want to build your own data collection node. The data collection nodes run worker processes that retrieve the data. These worker processes are implemented as modular inputs.
- Splunk_TA_vmware is the data collection component of the data collection node.
- SA-Utils contains the support files for SA-Hydra and Splunk_TA_vmware.
- SA-Hydra runs the worker processes on the data collection node.
- Splunk_TA_esxilogs collects log data from your Esxi log hosts.
The data collection node sends data to your indexers only after the Distributed Collection Scheduler is turned on and configured to start data collection.
App components
| Component name | Description |
|---|---|
| Splunk App for VMware | This component contains the user interface components and knowledge objects of the app. Install it on the indexers and search heads in your VMware vSphere environment. |
| Splunk TA for VMware vCenter (Splunk_TA_vcenter) | This component collects vCenter log data and forwards it to the indexer(s) in your environment. Install it on a universal forwarder or heavy forwarder running on your vCenter machines. |
| Splunk forwarder for VMware (Splunk_TA_vmware, SA-Hydra, SA-Utils, Splunk_TA_esxilogs) | Use this app component to create your own data collection node (DCN). It is shipped as part of the preconfigured OVA. This app component makes API calls to VMware vCenter to collect VMware API data directly from the VMware vCenter. It forwards the data to your indexer/search head. This data includes performance, inventory, hierarchy, and tasks and event data. The data collection nodes do not make API calls to Esxi hosts. |
Impact on vCenter Server
The data collection requirements of the Splunk App for VMware cause a 2% to 5% increase in vCenter Server CPU utilization. This was tested in an environment set up with 300 hosts per vCenter server. The performance results depend on the number of entities you collect from on a vCenter. This is a manageable and expected increase in CPU utilization. The increase in VMware vCenter Server CPU utilization (resulting from the data collection activities of the Splunk App for VMware) correlates with the processing of jobs run by the Distributed Collection Scheduler to support Splunkd, splunk python process, and other miscellaneous system operations.
| Look at the videos | Setup Requirements |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1
Download manual
Feedback submitted, thanks!