This Splunk application manages VMware ESX and VMware VirtualCenter systems. It includes inputs, indexing, searches, reports and dashboards..
To install, unpack the tarball inside $SPLUNK_HOME/etc/apps. Or download the application via the Administration interface in Splunk.
The Splunk for VMware Application will get messages, config changes, etc from both VMware ESX and VC servers.
This application supports ESX 3.5 and 3.0 as well as VirtualCenter 2.5 and 2.0
Splunk for VMware requires a JVM (Sun Java 1.5 or later) be installed on the same system. The environment variable JAVAHOME must be set to the directory that contains the java binary. To test the if the variable is set correctly, try and run the following on the command line
On Windows: %JAVAHOME%\bin\java On Linux/Unix: $JAVAHOME/bin/java
1) Edit the $SPLUNK_HOME/etc/apps/vmware/default/vmware.conf configuration file to point to your ESX or VC servers. If VC is in use, there is no need to specify all ESX servers under management. The application will retrieve the list of hypervisors in all datacenters from VC. The config file contains one or more [vmserver:<name>] stanzas. Any name may be used, provided it is unique.
2) Splunk config files are *not* platform independent. If the application is being used with Splunk on Windows, pathnames must use \ and not /. Please check $SPLUNK_HOME/vmware/default/inputs.conf and confirm that the first stanza uses appropriate slash format for your platform. This will be addressed in a future release of Splunk.
1) Test your configuration by running the app. It is useful to test the application outside of Splunk before starting the application inside Splunk. Please confirm that both the SPLUNK_HOME and PYTHONPATH are set for the test environment.
On Windows: a. set SPLUNK_HOME=<your splunk dir> b. Then, run the app by hand:
> cd %SPLUNK_HOME%\etc\apps\vmware
> java -jar lib/splunk.jar
On all other platforms:
a. export SPLUNK_HOME=<your slunk dir>
b. Then run the app by hand:
> cd $SPLUNK_HOME/etc/apps/vmware
> java -jar lib/splunk.jar
The app should output a continuous stream of data from the configured target (ESX or VC). The most common error if this does not occur is that either SPLUNK_HOME, PYTHONPATH, or JAVAHOME are *NOT* set. Please remember that it is only necessary to set these variables when testing the application outside of Splunk.
2) Restart Splunk. 3) On the splunk dashboard you should now see vmware_api sources.
Some of the saved searches in this application have alerts associated with them. All of the alerts are disabled by default. You need to enable the ones that you need.