Splunk® App for VMware (Legacy)

Installation Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.

Upgrade to Splunk App for VMware 3.4.1

Step 1: Download the files from Splunkbase

  1. Download the Splunk App for VMware version 3.4.1 from Splunkbase to a location in your environment.
  2. Download the Splunk Add-on for for VMware version 3.4.1 from Splunkbase to a location in your environment.
  3. Download the Splunk OVA for VMware version 3.4.1 from Splunkbase to a location in your environment.

Step 2: Upgrade scheduler

Note: Make sure splunk_vmware_admin role has admin_all_objects capability.

  1. Stop your Scheduler. You can do this by stopping the Splunk platform on your Splunk search head, or you can stop the scheduler in the Collection Configuration page of your deployment.
  2. Overwrite splunk_TA_vmware, SA-Hydra and SA-VMNetAppUtils on your scheduler with new versions.
  3. Delete splunk_for_vmware, Splunk_TA_esxilogs, Splunk_TA_vcenter, SA-VMW-Performance, SA-VMW-LogEventTask, SA-VMW-HierarchyInventory from your scheduler.
  4. (Optional) If you are using your scheduler to collect data and want to keep the Splunk App for VMware running, then install and upgrade all app components.

Step 3: Upgrade forwarder (DCN)

Note: Make sure splunk_vmware_admin role has admin_all_objects capability.

  1. Verify that your DCN components are the same as the components on your vCenter.
  2. (Optional) If your DCN is on version 6.2.x or earlier, upgrade your DCN's Splunk platform to version 6.3.0 and higher.
  3. Overwrite versions of Splunk_TA_vmware, SA-Hydra, SA-VMNetAppUtils and Splunk_TA_esxilogs on each data collection node with new versions.

Step 4: Upgrade indexer

  1. Enable maintenance mode on cluster master node.
  2. Navigate to the apps folder for your deployment (etc/apps for non-indexer cluster deployments, and etc/master-apps for indexer clustering deployments) and overwrite splunk_TA_vmware, splunk_TA_esxilogs, splunk_TA_vcenter on the cluster master node with new versions.
  3. Remove inputs.conf from your default folder and inputs.conf.spec which located in the README file of the Splunk Add-on for VMware download.
  4. Remove SA-Hydra and SA-VMNetAppUtils, if present.
  5. For indexer clustering, verify indexes.conf is present in etc/master-apps/_cluster/local. Create an indexes.conf if it does not exist.
  6. For indexer clustering, define all app indexes by adding the below specific index stanzas to your indexes.conf in your etc/master-apps/_cluster/local folder:
    [vmware-esxilog]
    repFactor = auto
    homePath = $SPLUNK_DB/vmware-esxilog/db
    coldPath = $SPLUNK_DB/vmware-esxilog/colddb
    thawedPath = $SPLUNK_DB/vmware-esxilog/thaweddb
    
    [vmware-vclog]
    repFactor = auto
    homePath = $SPLUNK_DB/vmware-vclog/db
    coldPath = $SPLUNK_DB/vmware-vclog/colddb
    thawedPath = $SPLUNK_DB/vmware-vclog/thaweddb
    
    [vmware-perf]
    repFactor = auto
    homePath = $SPLUNK_DB/vmware-perf/db
    coldPath = $SPLUNK_DB/vmware-perf/colddb
    thawedPath = $SPLUNK_DB/vmware-perf/thaweddb
    
    [vmware-inv]
    repFactor = auto
    homePath = $SPLUNK_DB/vmware-inv/db
    coldPath = $SPLUNK_DB/vmware-inv/colddb
    thawedPath = $SPLUNK_DB/vmware-inv/thaweddb
    
    [vmware-taskevent]
    repFactor = auto
    homePath = $SPLUNK_DB/vmware-taskevent/db
    coldPath = $SPLUNK_DB/vmware-taskevent/colddb
    thawedPath = $SPLUNK_DB/vmware-taskevent/thaweddb
    
  7. Verify repFactor=auto is set for all indexes.
  8. Push configuration bundle from cluster master node.

Step 5: Upgrade search head

Note: Make sure splunk_vmware_admin role has admin_all_objects capability.

  1. Upgrade all the components on search head deployer. (Components are located in etc/apps for non-search head cluster deployments, and etc/shcluster/apps for search head clustering deployments.)
  2. For search head cluster deployments, delete savedsearches.conf and tsidx_retention.conf from shcluster/apps/SA-VMW-Performance/default/ on your deployer before applying the upgrade bundle.
  3. For search head clustering, push app bundle from deployer. The deployer will restart all the search head cluster members after the upgrade is applied. If deployer does not restart the search head cluster members, perform a rolling restart.

Step 6: Upgrade the forwarder on your vCenter

  1. Stop your Splunk forwarder.
  2. On your vCenter server, navigate to splunkforwarder/etc/apps, and overwrite Splunk_TA_vcenter.
  3. Delete your local directory.
  4. Copy inputs.conf to local and enable stanza as per the vCenter server in this environment.
  5. Confirm under etc/system/local/output.conf, server entries to forward vclogs are present.
  6. Restart your forwarder.

Note: If you forward logs directly to Splunk indexes, or use an intermediate syslog forwarder, you do not need to set the inputs for vCenter logs.

Step 7: Start the scheduler

  1. Navigate to the Collection Configuration page of the Splunk Add-on for VMware on your scheduler.
  2. Start your scheduler.

Validate the Splunk App for VMware upgrade on your search head

Validate that you correctly upgraded the Splunk App for VMware to the latest version and that the app can collect data.

  1. Log in to the Splunk App for VMware on your search head.
  2. When the app displays the Splunk for VMware Setup page, select the Delete all deprecated Add-ons checkbox under Disable/delete old add-ons. The app removes all legacy add-ons from the installation. This removes saved searches of SA-VMW-Performance that are no longer in use.
  3. Save your configurations, and restart your Splunk platform deployment.

Manually remove legacy add-ons

If you launched Splunk App for VMware but did not check Delete all deprecated Add-ons on the setup page, you can manually remove the legacy add-ons from your installation.

  1. Stop the Splunk platform on your search head.
  2. Delete the hydra_job.conf file in the $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local folder on the Splunk Search head.
  3. Remove the SA-VMW-Licensecheck folder from the $SPLUNK_HOME/etc/apps folder on your Splunk search head. Do this for each server upon which you installed the Splunk App for VMware.
  4. The below table shows the specific legacy add-ons, located in the $SPLUNK_HOME/etc/apps/Splunk_TA_vmware/local folder of the Splunk App for VMware, to delete when upgrading:
    • DA-VMW-HierarchyInventory
    • DA-VMW-LogEventTask
    • DA-VMW-Performance
    • SA-VMW-Licensecheck
  5. Restart your Splunk platform.

Additional information

See "Platform and Hardware Requirements" in this manual for supported Splunk platform versions for this release. See "How to upgrade Splunk Enterprise" to upgrade to a new version of the Splunk platform.

For information on upgrading from tsidx namespaces to data model acceleration, see the "Upgrade from tsidx namespaces to data model acceleration" section of the troubleshooting section of this manual.

Last modified on 12 June, 2018
Troubleshoot Splunk App for VMware  

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.4.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters