Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to collect Syslogs for VMWare 5.5.0 on Splunk 6.2.1?

heinerramos
New Member
‎02-19-2015 11:49 AM

Hi Everyone,

I have a problem to collect Syslogs for VMWare 5.5 on Splunk 6.2.1 that is installed in a Linux Virtual Machine (ElementaryOS version 0.2.1).

So, I executed the steps on the tutorials below:
1) http://wiki.splunk.com/Community:VMwareESXSyslog
2) http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=200332...

However, I am always having the same problem.

THE LOGS ARE NOT TRANSMITTED IN ANYWAY TO SPLUNK 6.2.1.

Someone's been through a similar situation and could help me?

0 Karma
Reply

belka
Path Finder
‎09-08-2015 02:13 AM

I ran into this problem.

I installed the DCN, the connections all checked out green, and I was ready to go. I did a search and my VMwre app dashboard all came up with data. Brillant, so far.

The Data Collection Node (DCN) that comes with Splunk has a 5GB disk. The default for for the dispatcher for doing searches is 5GB. What happened to me is that the VMware app came up, populated the dashboards, and then never collected another thing. The reason, revealed by tailing the splunkd.log file on the DCN is that there was not enough space on the virtual disk drive on the DCN VM. I solved it by having the VM admin up the space available to $SPLUNK_HOME directory on the DCN. Ultimately, I rolled my own DCN because the VMWare schema couldn't (or wouldn't) grow the VM directory. Splunk was in /home/splunk vice /opt/splunk. oh well.

The other possible solution is to change the minimum disk space required for the dispatcher in Splunk when conduction searches. You could lower it to 2 GB and then start getting search data back. If you problem is similar to the one I encountered, this might help.

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...