Are you a member of the Splunk Community?
- Find Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Are there any additional Splunk_TA_vmware inde...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are there any additional Splunk_TA_vmware index configurations I need to be aware of?
Hi All
I have configured Splunk_TA_vmware along with SA_Hydra in our HF to collect data from vcenter.
I have also installed VMWIndex add-on on Indexer clusters as suggested in the documentation.
However the data is going to lastchance index when I was hoping the VMWIndex add-on would take care of the proper index configuration.
Is there any additional configuration I need to do to get the logs into the indexes created by VMWIndex addon. Attaching the indexes.conf file from the addon. Tried adding index=index_name in the inputs.conf of Splunk_TA_vmware addon, but no luck. It is not getting any effect and still going into lastchance index only.
Kindly suggest.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have you updated the inputs.conf on Splunk_TA_vmware and updated the "index=" to appropriate value based on input?
https://docs.splunk.com/Documentation/AddOns/released/VMW/vCenterlogs
https://docs.splunk.com/Documentation/AddOns/released/VMW/ESXihosts
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We do not have any monitor stanzas in the inputs.conf our app @somesoni2 .
The inputs look like this
[ta_vmware_collection_worker://alpha]
capabilities = hostvmperf,otherperf,hierarchyinv,hostinv,vminv,clusterinv,datastoreinv,rpinv,task,event
log_level = INFO
disabled = 1
interval = 15
index = vmware-vclog
[ta_vmware_collection_worker://beta]
capabilities = hostvmperf,otherperf,hierarchyinv,hostinv,vminv,clusterinv,datastoreinv,rpinv,task,event
log_level = INFO
disabled = 1
interval = 15
index = vmware-vclog
[ta_vmware_collection_worker://gamma]
capabilities = hostvmperf,otherperf,hierarchyinv,hostinv,vminv,clusterinv,datastoreinv,rpinv,task,event
log_level = INFO
disabled = 1
interval = 15
index = vmware-vclog
The index parameter is not actually there by default. I have added and tried but no luck.
We have another conf file ta_vmware_collection.conf in which we have below parameters under [default] stanza.
perf_index = vmware-perf
inv_index = vmware-inv
taskevent_index = vmware-taskevent
The script refers to these entries only to index the data. Even though these indexes are available in the indexes.conf of the addon we pushed(SA-VMWIndex) to our indexer cluster, the data is still going into lastchance index.
I have also tried index forcing on each sourcetype in the props with help of transforms. No luck 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@somesoni2@micahkemp Any suggestions please?
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
Customer success is front and center at .conf25
