Re: Adding ESX hosts to an existing Splunk server

mikeyw · ‎10-10-2012

Hi,

I've inherited a splunk server that was setup to receive to vmkwarning files from around 20 ESX hosts.

Recently i built another 5 hosts running ESX5 that i'd like to also get the vmkwarning files sent to the splunk server, what's the best guide to show me how to do this ?

I presume some kind of splunk forwarding agent has to reside on the ESX host ?

Thanks

mikeyw · ‎10-11-2012

Any further thoughts here guys ?

sdaniels · ‎10-10-2012

Yes, you'll need to install a splunk forwarder on the ESX host. Then you'll set up file monitoring. Take a look at one of your existing ESX server forwarders. You should find settings in /etc/system/local/ in outputs.conf and inputs.conf. Outputs will have the settings for communicating back to the Splunk server and inputs.conf has the details of the file being monitored. In this case probably /var/log/vmkwarning.log.

http://docs.splunk.com/Documentation/Splunk/5.0/Deploy/Deploymentoverview

http://docs.splunk.com/Documentation/Splunk/5.0/Data/Monitorfilesanddirectories

mikeyw · ‎10-10-2012

I've just checked on a couple of ESX hosts that the splunk server is collecting log information from and did a global find for both outputs.conf and inputs.conf, nothing was returned. What is the default location for the splunk forwarders on a ESX node ?

Adding ESX hosts to an existing Splunk server

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life