Splunk ITSI

ITSI VMware OVA-Is it possible to skip the scheduler and edit a conf file on the DCN itself?

TimEek
Path Finder

Hi all,

 

For our environment we want to ingest VMWare data for ITSI. The documentation tells us we need an OVA, so we installed one. However, this took a long time. And now I see we need a seperate Scheduler since the searchhead is actually on Windows, which I did not notice in time is apparently not possible to combine with a Scheduler.

It is also a bit vague to me how the connection works. With the scheduler you link a vCenter, so the scheduler needs a connection to the vCenter as well? And this data is then used on the DCN to also connect with the vCenter?

My main question is: Is it possible to skip the scheduler and edit a conf file on the DCN itself to start ingesting VMWare and vCenter data right away? We have a limited time schedule since this is just a test environment and the ITSI license doesn't last forever. 

Regards, Tim

Labels (2)
0 Karma
1 Solution

nyc_jason
Splunk Employee
Splunk Employee

The OVA can be both a DCN and scheduler in one. The DCN connects to vcenter API and pull data from it. The scheduler tells it when and what to pull. They can be on the same machine (the OVA, or one you build). In the event you have multiple DCNs because you have such a large vmware environment, you could have the scheduler run on its own machine to control all the DCNs. Also, for POC, if you are running a recent version of Splunk, I'd suggest using the Splunk OVA for VMware Metrics (not the older Splunk OVA for VMware, or Splunk VMware OVA for ITSI). Set it up to be both the DCN and scheduler. It should have the Splunk Add-on for VMware Metrics preinstalled. Its in there that you will find good docs to follow.  https://docs.splunk.com/Documentation/AddOns/released/VMWmetrics/InstallOverview

 

View solution in original post

0 Karma

nyc_jason
Splunk Employee
Splunk Employee

The OVA can be both a DCN and scheduler in one. The DCN connects to vcenter API and pull data from it. The scheduler tells it when and what to pull. They can be on the same machine (the OVA, or one you build). In the event you have multiple DCNs because you have such a large vmware environment, you could have the scheduler run on its own machine to control all the DCNs. Also, for POC, if you are running a recent version of Splunk, I'd suggest using the Splunk OVA for VMware Metrics (not the older Splunk OVA for VMware, or Splunk VMware OVA for ITSI). Set it up to be both the DCN and scheduler. It should have the Splunk Add-on for VMware Metrics preinstalled. Its in there that you will find good docs to follow.  https://docs.splunk.com/Documentation/AddOns/released/VMWmetrics/InstallOverview

 

0 Karma

TimEek
Path Finder

Hi, Sorry for the questions, but at the moment we have a connection from the VMWare OVA to the vCenter. How do I make it so the DCN is also the DCS? Can I just enable the configuration somewhere, or do I need to define the machine itself in the Collection Configuration? If so, how do I do that? I get the following message if I try to configure the DCS with the DCN as itself:

Could not log into node=
https://HF:9997 with the credentials provided, cannot manage the heads on that node.

I have tried the IP adress, the hostname and even localhost. 

EDIT: for anyone coming here with similar issues, you have to edit the add-on for vmware, NOT the add-on for vmware metrics. I learned this the hard way..

Tags (1)
0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...