All Apps and Add-ons

Can Splunk collect performance metrics of ESXi hosts and virtual machines from vCenter without Splunk App for VMware?

pgadhari
Builder

Hi all,

Whether Splunk can collect performance metrics of ESXi hosts and virtual machines, tasks and events, inventory, hierarchy and topology information – all from VCenter without using "Splunk App for VMware" ? I dont want to use vmware app as it is a paid app, but whether I can still do capacity management of ESXi servers by collecting above data from VC, plus I want to collect VC logs as well as ESXi hosts logs for investigation, troubleshooting and event correlation, whether this is possible without VMware app ?

Also, if Splunk can collect all the above metrics, whether we can manually create dashboards, reports, searches, do capacity predictions without using "Splunk App for VMware" (as this is paid app). Please clarify above points as well as point me to some documentation showing above configurations.

Thanks

0 Karma
1 Solution

mgildenhorn_spl
Splunk Employee
Splunk Employee

Unfortunately, you can't collect host and VM performance metrics and inventory information through the ESXi or vCenter logs. You would need something like the vSphere API to get to them. This is how vCenter collects the metrics as well. If you wanted to get that type of information into Splunk, you would need some way to collect those metrics and load them in. That is one of the key things the VMware App does. Splunk created a new type of collector (Data Collection Node or DCN) designed to go after API metrics at a high rate. In this case, the DCN calls the vSphere API to get the metrics. The DCN happens to also be used in the Splunk App for NetApp Data ONTAP.

View solution in original post

mgildenhorn_spl
Splunk Employee
Splunk Employee

Unfortunately, you can't collect host and VM performance metrics and inventory information through the ESXi or vCenter logs. You would need something like the vSphere API to get to them. This is how vCenter collects the metrics as well. If you wanted to get that type of information into Splunk, you would need some way to collect those metrics and load them in. That is one of the key things the VMware App does. Splunk created a new type of collector (Data Collection Node or DCN) designed to go after API metrics at a high rate. In this case, the DCN calls the vSphere API to get the metrics. The DCN happens to also be used in the Splunk App for NetApp Data ONTAP.

Richfez
SplunkTrust
SplunkTrust

We did this, at least for basic uses.

Use syslog from the ESX hosts as per the instructions from VMware:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=200332...

Set up a syslog input if you don't have one already. http://docs.splunk.com/Documentation/Storm/Storm/User/Howtosetupsyslog

Start logging at a fairly low amount and start reading them. You'll find information like VMotion start/ends and rates, Disk issues or latency issues, loads, ... all sorts of stuff.

I'm happy to say from that point forward it's all just fun Splunking!

Richfez
SplunkTrust
SplunkTrust

You will not get nearly as much information out of ESXi's syslog as you can from other methods, I was only trying to convince you that you certainly can get enough for some basic uses. Only you can tell if it's enough.

Why not download the free version of splunk and point one or two hosts at it and see what it is you can glean from that information? Build a few searches and some dashboards, get a feel for what information you COULD get out of it. You may find that the case for buying the VMware App becomes much easier to sell to management if you show the limitations of not buying it.

0 Karma

pgadhari
Builder

Ok, so I don't need VMWare App for doing this correct ? Also, whether Splunk can collect performance metrics of Virtual Hosts and ESXi hosts directly from V-Center ? I will not need to install any Splunk forwarder's on my virtual machines, is that correct ?

I can just take syslogs from ESXi hosts and VC, correct ? Can you share the screenshots of dashboards you have created for your VMWare environment please? Actually, I am planning of procuring Splunk and I want to do Server Capacity Management (Splunk says it can do that also) without using VMware App. That is why I am verifying this. And also, how easy is to collect performance metrics, inventory, events, etc. directly from V-center using Splunk, do you have any procedure for that ?

Please answer my questions above.

Thanks.

0 Karma

ramarcsight
Explorer

Hello did u install DCN and got the data ??
did u design the dashboards ?

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...