Splunk® App for VMware (Legacy)

Installation and Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

The data we collect

What data can I get

The vCenter Server database contains many different types of data about the virtual environment. Information is stored about the managed entities (for example, data center, cluster, host, virtual machine, and so on), about the relationships between the objects in the environment (how they are physically arranged and managed in relation to one another), and performance data for specific inventory objects. This is just some of the information that is stored. It contains performance statistics for Virtual Machines and hosts. vCenter logs contain basic information about vCenter and the database. Logs for other components are not on the vCenter server. The Splunk App for VMware collects data from the resources and maps it to Splunk App for VMware enabling you to explore and work with the data in the ways you want.

Data collection from vCenter Server is managed by the Distributed Collection Scheduler. The exception to this is the collection of syslog data from hosts and the collection of vCenter log data.

CIM compliance

The Splunk App for VMware complies with the Common Information Model (CIM). See "Understand and use the Common Information Model" in the Knowledge Manager Manual. CIM is a system for categorizing data from different sources and across different domains. CIM provides a standard for getting data into Splunk so that the data can be accurately reported and correlated. The Splunk App for VMware implements the Common Information Model to apply a search time schema to IT data, incorporate it in the dashboards, and correlate it across different source types and domains.

The CIM identifies which fields must be present in the data for the dashboards to work, and which tags need to be assigned to the data for the process to work correctly. The Splunk App for VMware now supports the following event categories in the CIM:

  • Alerts
  • Authentication
  • Change Analysis
  • Compute Inventory
  • Performance

For information about the fields in these event categories, see "Standard fields and event category tags" in the Splunk Knowledge Manager manaual.

When you add sourcetypes for your data to the Splunk App for VMware, see the Splunk Enterprise CIM documentation to ensure that you follow the requirements for data processing to CIM standards.

The data we collect

The following VMware environment data types are collected by the Splunk App for VMware:

Data source Data type Description
API Inventory data This data is collected from the vCenter Server and contains information about specific inventory objects in vSphere, such as properties. This includes managed entities, which are top-level inventory objects (such as data center, cluster, host, virtual machine, and so on), inventory "sub-components" (such as vNICs, vHBAs, and so on), and other useful data ( for example, software components and version information).
API Hierarchy data This is information about the relationships between the different inventory object types and how they are structured hierarchically in vSphere for management purposes. Hierarchy information is represented as a “tree view” on the left side of the “Host and Clusters” view (or "Inventory" view) in the vSphere Client, when pointed at a vCenter Server (or at an indivdual ESX/i host). It mainly contains the relationships between top-level inventory objects (known as “managed entities”). It does not contain information about the inventory objects themselves.
API Performance data Performance data is collected from the ESX and ESX/i hosts. There are several major categories of performance data including CPU, memory, network, and storage. Performance data can be found in the "Performance" tab of the vSphere Client when pointed at a vCenter Server or at an individual ESX/i host.
API Tasks data Tasks data is collected from vCenter.Tasks are actions that you perform in the system such as creating a virtual machine or powering down a host. In the vSphere Client (when pointed at a vCenter Server or at an individual ESX/i host) you can look at the Recent tasks panel and you can see a task history on the Tasks & Events tab.
API Events data Event data is collected from vCenter. This data contains notifications of things that happen in the system either as a result of tasks, or ongoing operations. These are also called VMware events so as to not confuse them with Splunk events ( the data that Splunk captures and makes searchable from any source, not just VMware). You can find VMware event histories in the Tasks & Events" tab of the vSphere Client when pointed at a Virtual Center or at an individual ESX/i host.
logs on vCenter vCenter logs These are log files generated by the vCenter Server. This log data from vCenter is collected using the Splunk for vCenter add-on.
syslog ESX/i Server logs These are log files generated by the ESXi hosts. This data is collected by configuring the ESX/i hosts to send the logs to a syslog server or to an intermediate forwarder.
Last modified on 05 April, 2014
VMware quick reference   Component reference table

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters