Splunk® App for VMware (Legacy)

Configuration Guide

On August 31, 2022, the Splunk App for VMware will reach its end of life. After this date, Splunk will no longer maintain or develop this product. The functionality in this app is migrating to a content pack in Data Integrations. Learn about the Content Pack for VMware Dashboards and Reports.

Filter log data collection

You can filter vCenter Server log data and ESXi log data using nullqueue. nullQueue discards the data when TA-vmware receives it from the vCenter Server forwarder. Adjust the content of props.conf to filter data to reduce the volume of data you are indexing. The content in props.conf works with the content in transforms.conf to route sourcetypes to nullQueue; transforms.conf performs the actual routing.


Filter vCenter server log data example

1. To filter vCenter Server log data, locate the props.conf file for Splunk_TA_vcenter on the universal or heavy forwarder on the vCenter Server. You need to find the props.conf that exists on the forwarder or indexer that parses events.

  • If the forwarder on the vCenter Server is a heavy forwarder, open its props.conf for editing.
  • If the forwarder on the vCenter Server is a universal forwarder, find the heavy forwarder operating as an intermediate forwarder, or the indexer that parses events, then open its props.conf for editing.

2. In the props.conf file, uncomment the transforms-routing attributes which determine how to route the vpxd events.

For sourcetype = vmware:vclog:vpxd, uncomment as per the following: 

#TRANSFORMS-null1 = vmware_vpxd_level_null
#TRANSFORMS-null4 = vmware_vpxd_retrieveContents_null
#TRANSFORMS-null5 = vmware_vpxd_null


For sourcetype = vmware:vclog:vpxd-alert, uncomment as per the following: 

#TRANSFORMS-null2 = vmware_vpxd_level_null,vmware_vpxd_level_null2


For sourcetype = vmware:vclog:vpxd-profiler, uncomment as per the following: 

#TRANSFORMS-null3 = vmware_vpxd_level_null,vmware_vpxd_level_null2

Filter ESXi logs example

This example filters ESXi logs to send events with sourcetype=vmware:esxlog:sfcb-vmware to nullqueue.

1. To filter ESXi logs, locate and open the props.conf file for Splunk_TA_esxilogs on the intermediate forwarder for syslog data. You need to find the props.conf that exists on the forwarder or indexer that parses events.

  • If the syslog forwarder is a heavy forwarder, open its props.conf for editing.
  • If the syslog forwarder is a universal forwarder operating as an intermediate forwarder, find the heavy forwarder or the indexer that parses events, then open its props.conf for editing.

2. In the props.conf file, create an entry as per the following: 

[vmw-syslog]
TRANSFORMS-z_nullqueue = sfcb_to_null

3. Locate and open the transforms.conf for Splunk_TA_esxilogs.

4. Splunk Enterprise filters data based on sourcetype at index time. To filter the data by sourcetype, create an entry as per the following: 

[sfcb_to_null]
SOURCE_KEY = MetaData:Sourcetype
REGEX = vmware:esxlog:sfcb-vmware
DEST_KEY = queue
FORMAT = nullQueue

The transform routes the syslog events based on the string sfcb-vmware in a syslog event.


For more information on nullQueue, see Filter event data and send it to queues.

Last modified on 13 April, 2022
Manage data collection   Configure performance metrics collection

This documentation applies to the following versions of Splunk® App for VMware (Legacy): 4.0.4

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters