I'm trying to use Splunk VMware app 2.0 and I'm trying to get data from ESXi hosts. I found a complication that the VMware app requires local accounts on each ESXi host to be able to perform TaskDiscovery, EventDiscovery, LogDiscovery and PerfDiscovery. I wonder if it's possible to connect to the ESXi hosts through vCenter, something like with "resxtop --server
The reason, why I'm asking, is that I don't like the idea of using special local accounts on each ESXi host. The teams' responsibilities are strictly defined and Splunk admins are not admins of ActiveDirectory domains. To change a password every few weeks/months would require an effort of multiple people to deliver new credentials file to Splunk admins and update all ESXi hosts. Also the security policy is quite strict about that, Active Directory is much better choice.
For VMware topology, it is bottleneck to get all perf data from vcenter.
There's no limitation that you cannot get perf data from vcenter on settings, but it is not recommended as it normally introduce lost data.
It does get some resource pool and cluster performance data from vCenter. I've been unable to get any perf data from the ESX servers themselves despite creating the accounts.
I've got a bunch of configurable perl scripts using the vmware SDK to gather those metrics.
The new interface is pretty cool though
I also expected all data being accessible through vCenter. But the VMware app 2.0 forces me to go directly to ESXi host to get performance statistics, logs, events and tasks. I've deployed the app according to the official guide http://docs.splunk.com/Documentation/VMW/latest/Install/AudienceandFeatures. The guide tells you how to configure ESX monitoring, you just list which ESX hosts you want to monitor. But this suite directly goes to ESX hosts, you can see the URL in the generated inputs files, e.g. https://10.1.1.2/sdk/webService (10.1.1.2 is an IP address of an ESX host).