Set up a data collection node
To collect data from your VMware vSphere environment with Splunk App for VMware, download and install the Splunk OVA for VMware from Splunkbase and choose one of the data collection node options.
- Use the Data Collection Node OVA. See "Size and deploy the Data Collection Node OVA" in the Installation Guide.
- Build a data collection node. See the build a data collection node section below.
Note: If the Splunk App for NetApp Data ONTAP version 2.0.1 or above is installed in your environment, get the latest SA-Hydra and SA-Utils version from the Splunk Add-on for Vmware 3.3.0 or above and overwrite the existing versions of SA-Hydra and SA-Utils on the NetApp ONTAP data collection node. The data collection node is not automatically updated when you install the latest version of the Splunk App for VMware.
Data collection node requirements
A data collection node requires four virtual cores to collect data from approximately 40 ESXi hosts.
Your system must meet the following requirements.
- Four cores. 4 vCPUs or 2 vCPUs with two cores with a reservation of 2GHz.
- 6GB memory with a reservation of 1 GB.
- 10-12GB of disk space.
You can build a data collection node and configure it for your environment. Create and configure this data collection node on a physical machine or as a virtual machine image to deploy into your environment using vCenter.
Build a data collection node
To build a data collection node virtual machine, follow the guidelines set by VMware to create the virtual machine and to deploy it in your environment.
- Install a CentOS or RedHat Enterprise Linux version that is compatible with Splunk Enterprise version 6.0.1 or later.
- Install Splunk Enterprise version 6.2.0 or later, and configure it as a heavy forwarder. Note: You cannot use a universal forwarder. It lacks necessary python libraries.
- Download the
Splunk_add-on_for_vmware-<version>-<build_number>.tgz
from Splunkbase. - Copy the file
Splunk_add-on_for_vmware-<version>-<build_number>.tgz
from the download package to$SPLUNK_HOME/etc/apps
. - Extract the file
splunk_add_on_for_vmware-<version>-<build_number>.tgz
from$SPLUNK_HOME/etc/apps
. - Verify that the data collection components SA-Utils, SA-Hydra, Splunk_TA_vmware, and Splunk_TA_esxilogs exist in
$SPLUNK_HOME/etc/apps
. - Verify that the firewall ports are correct. The DCN communicates with splunkd on port 8089. The DCN communicates with the scheduler node on port 8008.
- After deploying the collection components, add the forwarder to your scheduler's configuration. To do this, see Add, edit, or delete a data collection node in this manual.
- Change the Splunk administrator account password or set
allowRemoteLogin = always
inserver.conf
. The default credentials for the Splunk user areadmin/changeme
. To access splunkd on this forwarder from the scheduler, change the password. Use the following command for this forwarder../splunk edit user admin -password 'newpassword' -role admin -auth admin:changeme
Set up forwarding to the same port that the Splunk indexer uses. See "Use forwarders to get data in" in the Splunk Enterprise Forwarding Data manual.
Enable troubleshooting logs
After you create a data collection node, enable logging to troubleshoot DCN issues. Enabling this type of logging on the DCN does not contribute to the indexing tally on your Splunk Enterprise license.
- On your DCN, in
$SPLUNK_HOME/etc/apps/SA-Hydra
, create a directory calledlocal
. - Copy the
outputs.conf
file fromSA-Hydra/default
, then paste it into the.../SA-Hydra/local
directory. - Open the
SA-Hydra/local/outputs.conf
file. - Convert the following lines from comments into code:
[tcpout]
forwardedindex.3.whitelist = _internal
Learn more and how to get help | Add, edit, or delete a data collection node |
This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.3.0
Feedback submitted, thanks!