Splunk® App for VMware (Legacy)

Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.

Deploy Splunk App for VMware in an indexer cluster deployment

An indexer cluster is a group of of Splunk platform indexers configured to replicate each others' data so that the system keeps multiple copies of all of the data. This process is known as index replication. Cluster deployments promote disaster recovery as they maintain multiple, identical copies of the data. This deployment also promotes high availability of the data for searching.

An overview of indexer clusters

An indexer cluster contains the following nodes:

  • A single master node to manage the cluster. The master node is a special type of indexer.
  • Several peer nodes that handle the indexing function for the cluster, indexing and maintaining multiple copies of the data and running searches across the data.
  • One or more search heads to coordinate searches across all of the peer nodes.

There are additional configuration steps, beyond what's needed for a stand-alone indexer, for setting up a cluster. See "About clusters and index replication" in Managing Indexers and Clusters.

Before you set up an indexer cluster, see "Key differences between clustered and non-clustered deployments".

Configure an indexer cluster for Splunk App for VMware

When you configure an indexer cluster for Splunk App for VMware, you add indexes to make VMware data available to the cluster. Splunk App for VMware uses the "_internal" and the "_audit" indexes by default.

Note: To add a new index to a cluster, edit the indexes.conf file. You cannot add an index using Splunk Web or the CLI. See "Configure the peer indexes".

Before you configure a cluster for Splunk App for VMware, make sure that your environment meets the following requirements:

  • Your environment has at least one deployed indexer cluster. See "Deployment overview".
  • Apps are distributed across all of the peers in your environment. See "How to distribute apps to all the peers".
  • The Splunk App for VMware and the Splunk Add-on for VMware are installed on your search heads. Your master node contains the SA-VMWIndex, Splunk_TA_esxilogs and Splunk_TA_vcenter under $SPLUNK_HOME/etc/master-apps, and are pushed to your indexer in $SPLUNK_HOME/etc/slave-apps.
  • Delete Splunk_TA_vmware, SA-VMWNetAppUtils from the master-apps directory before issuing the "apply cluster-bundle command". Splunk_TA_vmware, SA-VMWNetAppUtils, and SA-Hydra are not required to be pushed to indexer peers from the master node.
  • The master node, the peer nodes, and the search head for a clustered environment are enabled.

Configure indexer cluster

  1. Determine which replication factor you want to implement. The replication factor is the number of copies of raw data that the cluster maintains. It must be less than or equal to the number of search peers, which are also called slave nodes.
  2. On the master node in $SPLUNK_HOME/etc/master-apps/SA_VMWIndex/default/indexes.conf the file has definitions for indexes: vmware-perf, vmware-inv, vmware-taskevent, vmware-vclog, vmware-esxilog and the repFactor attribute set to auto for each index. This attribute enables the index data to be replicated to other peers in the cluster.
  3. On the master node, log in to Splunk Web or use the CLI.
  4. Distribute the configuration bundle to the search peers in $SPLUNK_HOME/etc/master-apps.
  5. Distribute apps to all peers and share them across the cluster.
    1. Add each app under $SPLUNK_HOME/etc/master-apps/<app-name>.
    2. Distribute the following Splunk Add-on for VMware components to all search peers.
    3. On the search peers, verify that the app files exist in $SPLUNK_HOME/etc/slave-apps/<app_name>. See How to distribute apps to all peers.

After you set up the cluster for Splunk App for VMware, set up the data collection nodes. Review the data collection nodes and verify that the VMware data is forwarded to the indexers in the cluster.

After you configure the indexers and data collection nodes for Splunk App for VMware in a cluster, log in to Splunk Web on the scheduler to view the Splunk Add-on for VMware Collection Configuration dashboards.

Learn More

See Deploy a cluster in the Splunk Indexer manual for more information on cluster deployment.

Sharing apps in a cluster

The master node distributes new or edited configuration files or apps across all the peers.

For example, to share a saved search across the peer nodes, add the saved search to $SPLUNK_HOME/etc/master-apps/<app-name>/. Update the savedsearches.conf file. Log in to Splunk Web on the cluster master and push the configuration bundle. After you update savedsearches.conf, view the apps in $SPLUNK_HOME/etc/slave-apps/<app-name>/.

See "Update common peer configurations and apps" for more information on sharing apps in a cluster.

Managing configuration changes

After you distribute the set of peers to Splunk App for VMware, launch and manage Splunk App for VMware on each peer with Splunk Web. See "Managing app configurations and properties" in the Splunk Enterprise Admin Manual.

Last modified on 13 April, 2022
Enable Data model acceleration and use data models   Manage data collection

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 4.0.4

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters