Splunk® App for VMware (Legacy)

Installation Guide

Acrobat logo Download manual as PDF


On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.
This documentation does not apply to the most recent version of Splunk® App for VMware (Legacy). For documentation on the most recent version, go to the latest release.
Acrobat logo Download topic as PDF

Install the Splunk App for VMware

Versions 3.3.0 and above of the Splunk App for VMware use the Splunk OVA for VMware to create and deploy the data collection nodes (DCN), and the Splunk Add-on for VMware to manage the scheduler functionality that the Splunk App for VMware uses to collect and analyze virtual machine data. See the image to see how the Splunk App for VMware works with the Splunk OVA for VMware and the Splunk Add-on for VMware.

Follow the instructions below to install the Splunk App for VMware on your Splunk platform environment. For distributed environments, see the Install the Splunk App for VMWare in a search head cluster environment section of the Install the Splunk App for VMware section of the Splunk App for VMWare manual as reference for distributed deployments.

Install Splunk App for VMware on a full Splunk platform instance using the same user account credentials that you used to install your Splunk platform. For instructions on how to install Splunk App for VMware in a clustered indexer environment, see the Splunk platform configuration guide.


  1. Get the splunk_app_for_vmware-<version>-<build_number>.tgz and splunk_add_on_for_vmware-<version>-<build_number>.tgz files, put them in $SPLUNK_HOME/etc/apps on your Splunk platform host.
  2. Extract the Splunk App for VMware package.
    cd /opt/splunk/etc/apps
    tar xvzf splunk_app_for_vmware-*.tgz
    tar xvzf splunk_add_on_for_vmware-*.tgz
  3. Verify that you extracted all of the sub directories in the $SPLUNK_HOME/etc/apps directory.
    From tar xvzf splunk_app_for_vmware-*.tgz:
    • SA-Threshold/…
    • SA-VMW-HierarchyInventory/…
    • SA-VMW-LogEventTask/…
    • SA-VMW-Performance/…
    • splunk_for_vmware/…
    From tar xvzf splunk_add_on_for_vmware-*.tgz:
    • SA-VMNetAppUtils/…
    • SA-Hydra/…
    • Splunk_TA_vcenter/…
    • Splunk_TA_vmware/…
    • Splunk_TA_esxilogs/…
    • SA-VMWIndex/…
    • TA-VMW-FieldExtractions/…
  4. (Optional) Remove the SA-VMW-Licensecheck folder from the $SPLUNK_HOME\etc\apps folder if it exists.
  5. Restart Splunk Enterprise.
    /opt/splunk/bin/splunk restart

    Install the Splunk App for VMware in a search head cluster environment

    Versions 3.2.0 and above of the Splunk App for VMware support search head cluster (SHC) environments. See the image for guidance on how the Splunk App for VMware is deployed across an SHC environment.

    Search Head Clustering VMWare3.3.0.png

    Prerequisites

    • For Search Head Clustering, you need a minimum of three instances of Splunk Enterprise to serve as search head cluster members, and one additional instance that serves as a deployer, which you use to distribute apps and updated configurations to the cluster members.
    • The data collection node (DCN) scheduler must be deployed on a dedicated search head, and not on any individual search head in the SHC.
    • Each search head cluster member should be fresh install of Splunk and not re-purposed splunk instance.
    • You migrated your settings from a Search Head Pool to a Search Head cluster. See Migrate from a search head pool to a search head cluster in the "Splunk Enterprise Distributed Search Manual".
    • You have a licensed version of Splunk Enterprise installed and running in your environment.
    • You have access to the Splunk App for VMware and permission to install it.
    • You have configured your deployment's Data Model properties, located in datamodels.conf on your indexers. See Upgrade from tsidx namespaces to data model acceleration to learn more.
    • You must use the search head cluster deployer to distribute your configurations across your set of search head cluster members.

    Install the Splunk App for VMware in a search head cluster environment

    1. Take the files splunk_app_for_vmware and splunk_add_on_for_vmware that you downloaded from Splunkbase and put in a temporary directory. This avoids overriding critical files.
      cp splunk_app_for_vmware-<version>-<build_number>.tgz /tmp
      cp splunk_add_on_for_vmware-<version>-<build_number>.tgz /tmp
    2. Change to the /tmp directory, and extract the app and add-on packages.
      cd /tmp
      tar xvzf splunk_app_for_vmware-<version>-<build_number>.tgz
      tar xvzf splunk_add_on_for_vmware-<version>-<build_number>.tgz
    3. Copy the unzipped files and move into your deployer's apps folder inside the shcluster folder.
      cp -r * $SPLUNK_HOME/etc/shcluster/apps/
    4. Verify that all of the apps and the subdirectories were copied correctly and reside in the $SPLUNK_HOME/etc/shcluster/apps folder.
      • Splunk_TA_vmware
      • Splunk_TA_vcenter
      • SA-VMNetAppUtils/
      • SA-Hydra/
      • SA-Threshold/
      • SA-VMW-HierarchyInventory/
      • SA-VMW-LogEventTask/
      • SA-VMW-Performance/
      • splunk_for_vmware/
      • SA-VMWIndex/
      • TA-VMW-FieldExtractions/
    5. On your deployer, remove the Splunk_TA_vmware and SA-VMWIndex folders from the $SPLUNK_HOME/etc/shcluster/apps/ folder and deploy the Splunk App for VMware app onto any member of your SHC.
      ./splunk apply shcluster-bundle -target <URI>:<management_port> -auth <username>:<password>
    6. Restart Splunk in each of the locations where you installed the app.

    Learn More

Last modified on 05 October, 2018
PREVIOUS
Installation overview
  NEXT
Deploy the Splunk OVA for VMware to create a Data Collection Node

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 3.4.3, 3.4.4, 3.4.5


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters