All Apps and Add-ons
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Install location

4SplunkUser
Observer
2 weeks ago

Splunk Add-on for vCenter Logs  does not have anything under the installation tab.

Do we just need to install it on the serch head for the vCenter logs to be interpreted correctly or is it something that can be used to get the log into Splunk via API calls?

Better documentation would be great as it is a Splunk supported app. 

Labels (2)
Labels
0 Karma
Reply

livehybrid
Champion
2 weeks ago

Hi @4SplunkUser 

The installation docs can be found at https://docs.splunk.com/Documentation/AddOns/released/VMWvcenterlogs/InstallOverview

This details the various places that the app should be installed depending on your configuration / architecture.

 

🌟 Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

kiran_panchavat
Influencer
2 weeks ago

@4SplunkUser 

You need to install the Splunk Add-on for vCenter Logs (specifically the Splunk_TA_vcenter package) on your search head if you want the search-time field extractions to work correctly. This ensures that when you search the vCenter log data in Splunk, the fields (e.g., event types, timestamps, etc.) are properly parsed and displayed.
 
You can install the Splunk Add-on for vCenter Logs (Splunk_TA_vcenter) on a Heavy Forwarder (HF), and in some cases, it makes a lot of sense depending on your Splunk architecture. 
 
The add-on has both index-time (e.g., line breaking, timestamp recognition) and search-time (e.g., field extractions) components. Installing it on the HF ensures index-time processing happens there, which can reduce load on indexers. However, you’ll still need it on the search head for search-time fields.
 
I can see that the add-on is capable of parsing data for the following sourcetypes:-
 

vmware:vclog:vpxd

vmware:vclog:vpxd-alert

vmware:vclog:vpxd-profiler

vmware:vclog:vws

vmware:vclog:cim-diag

vmware:vclog:stats

Ingest vCenter Logs to Splunk:-

  • Configure ESXi/vCenter to send logs to a syslog receiver (UF/HF).

  • Use the Splunk Add-on on that receiver to parse those logs.

  • Ensure the add-on is also installed on the HF/Search Head as per your environment. 

NOTE: Ensure that your logs align with the expected sourcetypes defined in the props.conf and transforms.conf configurations.

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Get Updates on the Splunk Community!

Fueling your curiosity with new Splunk ILT and eLearning courses

At Splunk Education, we’re driven by curiosity—both ours and yours! That’s why we’re committed to delivering ...

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Splunk AI Assistant for SPL has transformed how users interact with Splunk, making it easier than ever to ...

Unleash Unified Security and Observability with Splunk Cloud Platform

     Now Available on Microsoft AzureOn Demand Now Step boldly into the AI revolution with enhanced security ...
Top