Splunk® App for VMware

Installation Guide

Download manual as PDF

This documentation does not apply to the most recent version of VMW. Click here for the latest version.
Download topic as PDF

Install the Splunk App for VMware

Versions 3.3.0 and above of the Splunk App for VMware use the Splunk OVA for VMware to create and deploy the data collection nodes (DCN), and the Splunk Add-on for VMware to manage the scheduler functionality that the Splunk App for VMware uses to collect and analyze virtual machine data. See the image to see how the Splunk App for VMware works with the Splunk OVA for VMware and the Splunk Add-on for VMware.

Follow the instructions below to install the Splunk App for VMware on your Splunk platform environment. For distributed environments, see the Install the Splunk App for VMWare in a search head cluster environment section of the Install the Splunk App for VMware section of the Splunk App for VMWare manual as reference for distributed deployments.

Install Splunk App for VMware on a full Splunk platform instance using the same user account credentials that you used to install your Splunk platform. For instructions on how to install Splunk App for VMware in a clustered indexer environment, see the Splunk platform configuration guide.


  1. Get the splunk_app_for_vmware-<version>-<build_number>.tgz and splunk_add_on_for_vmware-<version>-<build_number>.tgz files, put them in $SPLUNK_HOME/etc/apps on your Splunk platform host.
  2. Extract the Splunk App for VMware package.
    cd /opt/splunk/etc/apps
    tar xvzf splunk_app_for_vmware-*.tgz
    tar xvzf splunk_add_on_for_vmware-*.tgz
  3. Verify that you extracted all of the sub directories in the $SPLUNK_HOME/etc/apps directory.
    From tar xvzf splunk_app_for_vmware-*.tgz:
    • SA-Threshold/…
    • SA-VMW-HierarchyInventory/…
    • SA-VMW-LogEventTask/…
    • SA-VMW-Performance/…
    • splunk_for_vmware/…
    From tar xvzf splunk_add_on_for_vmware-*.tgz:
    • SA-VMNetAppUtils/…
    • SA-Hydra/…
    • Splunk_TA_vcenter/…
    • Splunk_TA_vmware/…
    • Splunk_TA_esxilogs/…
  4. (Optional) Remove the SA-VMW-Licensecheck folder from the $SPLUNK_HOME\etc\apps folder if it exists.
  5. Restart Splunk Enterprise.
    /opt/splunk/bin/splunk restart

    Install the Splunk App for VMware in a search head cluster environment

    Versions 3.2.0 and above of the Splunk App for VMware support search head cluster (SHC) environments. See the image for guidance on how the Splunk App for VMware is deployed across an SHC environment.

    Search Head Clustering VMWare3.3.0.png

    Prerequisites

    • For Search Head Clustering, you need a minimum of three instances of Splunk Enterprise to serve as search head cluster members, and one additional instance that serves as a deployer, which you use to distribute apps and updated configurations to the cluster members.
    • The data collection node (DCN) scheduler must be deployed on a dedicated search head, and not on any individual search head in the SHC.
    • Each search head cluster member should be fresh install of Splunk and not re-purposed splunk instance.
    • You migrated your settings from a Search Head Pool to a Search Head cluster. See Migrate from a search head pool to a search head cluster in the "Splunk Enterprise Distributed Search Manual".
    • You have a licensed version of Splunk Enterprise installed and running in your environment.
    • You have access to the Splunk App for VMware and permission to install it.
    • You have configured your deployment's Data Model properties, located in datamodels.conf on your indexers. See Upgrade from tsidx namespaces to data model acceleration to learn more.
    • You must use the search head cluster deployer to distribute your configurations across your set of search head cluster members.

    Install the Splunk App for VMware in a search head cluster environment

    1. Take the files splunk_app_for_vmware and splunk_add_on_for_vmware that you downloaded from Splunkbase and put in a temporary directory. This avoids overriding critical files.
      cp splunk_app_for_vmware-<version>-<build_number>.tgz /tmp
      cp splunk_add_on_for_vmware-<version>-<build_number>.tgz /tmp
    2. Change to the /tmp directory, and extract the app and add-on packages.
      cd /tmp
      tar xvzf splunk_app_for_vmware-<version>-<build_number>.tgz
      tar xvzf splunk_add_on_for_vmware-<version>-<build_number>.tgz
    3. Copy the unzipped files and move into your deployer's apps folder inside the shcluster folder.
      cp -r * $SPLUNK_HOME/etc/shcluster/apps/
    4. Verify that all of the apps and the subdirectories were copied correctly and reside in the $SPLUNK_HOME/etc/shcluster/apps folder.
      • Splunk_TA_vmware
      • Splunk_TA_vcenter
      • SA-VMNetAppUtils/
      • SA-Hydra/
      • SA-Threshold/
      • SA-VMW-HierarchyInventory/
      • SA-VMW-LogEventTask/
      • SA-VMW-Performance/
      • splunk_for_vmware/
    5. On your deployer, deploy the Splunk App for VMware app onto any member of your SHC.
      ./splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
    6. Restart Splunk in each of the locations where you installed the app.

    Distributed deployment component reference table

    The tables display and describe the individual components of a distributed deployment of the Splunk App for VMware. Refer to these tables to install the Splunk App for VMware on your distributed deployment.

    Learn More

PREVIOUS
Installation overview
  NEXT
Configure license

This documentation applies to the following versions of Splunk® App for VMware: 3.3.2


Was this documentation topic helpful?

Enter your email address, and someone from the documentation team will respond to you:

Please provide your comments here. Ask a question or make a suggestion.

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters