All Apps and Add-ons
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Install location

4SplunkUser
Observer
‎04-02-2025 07:47 PM

Splunk Add-on for vCenter Logs does not have anything under the installation tab.

Do we just need to install it on the serch head for the vCenter logs to be interpreted correctly or is it something that can be used to get the log into Splunk via API calls?

Better documentation would be great as it is a Splunk supported app. 

Labels (2)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
‎04-02-2025 11:30 PM

Hi @4SplunkUser 

The installation docs can be found at https://docs.splunk.com/Documentation/AddOns/released/VMWvcenterlogs/InstallOverview

This details the various places that the app should be installed depending on your configuration / architecture.

 

🌟 Did this answer help you? If so, please consider:

  • Adding kudos to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

0 Karma
Reply

kiran_panchavat
Champion
‎04-02-2025 08:07 PM

@4SplunkUser 

You need to install the Splunk Add-on for vCenter Logs (specifically the Splunk_TA_vcenter package) on your search head if you want the search-time field extractions to work correctly. This ensures that when you search the vCenter log data in Splunk, the fields (e.g., event types, timestamps, etc.) are properly parsed and displayed.
 
You can install the Splunk Add-on for vCenter Logs (Splunk_TA_vcenter) on a Heavy Forwarder (HF), and in some cases, it makes a lot of sense depending on your Splunk architecture. 
 
The add-on has both index-time (e.g., line breaking, timestamp recognition) and search-time (e.g., field extractions) components. Installing it on the HF ensures index-time processing happens there, which can reduce load on indexers. However, you’ll still need it on the search head for search-time fields.
 
I can see that the add-on is capable of parsing data for the following sourcetypes:-
 

vmware:vclog:vpxd

vmware:vclog:vpxd-alert

vmware:vclog:vpxd-profiler

vmware:vclog:vws

vmware:vclog:cim-diag

vmware:vclog:stats

Ingest vCenter Logs to Splunk:-

  • Configure ESXi/vCenter to send logs to a syslog receiver (UF/HF).

  • Use the Splunk Add-on on that receiver to parse those logs.

  • Ensure the add-on is also installed on the HF/Search Head as per your environment. 

NOTE: Ensure that your logs align with the expected sourcetypes defined in the props.conf and transforms.conf configurations.

 

Did this help? If yes, please consider giving kudos, marking it as the solution, or commenting for clarification — your feedback keeps the community going!
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Get Updates on the Splunk Community!

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

In the age of AI, every tool promises to make our lives easier. From summarizing content to writing code, ...

Data Persistence in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. What happens if the OpenTelemetry collector ...

Thanks for the Memories! Splunk University, .conf25, and our Community

Thank you to everyone in the Splunk Community who joined us for .conf25, which kicked off with our iconic ...