All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to ingest data from VMWare ESXI host

maheshnc
Path Finder
‎09-11-2025 06:01 AM

I want to know what are the ways to ingest the data from ESXI host in Splunk. 

Labels (1)
Labels
0 Karma
Reply

vjdev
Explorer
‎09-12-2025 10:46 AM

Hello maheshnc,

If you use HF to receive syslog, it will receive the log, process it, and store it in the indexers. It wouldn't store in HF. 

To archive it,

  • Settings → Data Inputs.
  • Find the TCP and/or UDP input options under Network data.
  • Add new for TCP or UDP.
  • Choose the port you want to use.
  • Assign a sourcetype.
  • Choose or define the index.
  • Optionally set host settings.


Else, if you want to use UF, set up syslog-ng and store the logs in files and read them using UF by setting up inputs.conf.

Difference:

UF does not do full parsing, routing based on event content. Transformation/filters that require deep processing. It usually has minimal functionality.It is a lightweight component.

HF is a full Splunk Enterprise install that is used as a forwarder. Indexing is typically disabled (or you configure it so it doesn’t index locally) when being used as HF. It can parse, filter, route, transform and mask/anonymize events before forwarding.

Thank you!

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎09-13-2025 09:12 AM

Whilst this is possible, I would recommend looking at SC4S or syslog-ng approaches first. 

"Splunk recommends the SC4S containerized solution for all customers who are able to adopt it"

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

 

0 Karma
Reply

Meett
Splunk Employee
Splunk Employee
‎09-11-2025 12:10 PM

Hello @maheshnc You can have look at this document and add-on  : https://docs.splunk.com/Documentation/AddOns/released/VMWesxilogs/Install 

0 Karma
Reply

maheshnc
Path Finder
‎09-11-2025 11:05 PM

Thanks for your inputs. Could you please explain If I can setup my Heavy Forwarder to receive the syslog (instead of syslog ng server with UF installed on it)? if yes, how can I setup my HF to receive the syslog and where will the syslog be stored on HF? also, what will be the difference between using a using a UF and a HF to collect the syslog data.

0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎09-13-2025 08:52 AM

Hi @maheshnc  you "can", but I really would not recommend it. 

Check out https://help.splunk.com/en/splunk-cloud-platform/get-started/splunk-validated-architectures/getting-...for validated archiectures for ingesting syslog into Splunk.

I would recommend looking at SC4S (https://splunk.github.io/splunk-connect-for-syslog/2.30.1/sources/vendor/VMWare/vsphere/) or Rsyslog or Syslog NG combined with Universal Forwarder (UF)/Heavy Forwarder (HF) for your usecase.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...