Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Why am I unable to collect Syslogs for VMWare 5.5.0 on Splunk 6.2.1?

heinerramos
New Member
‎02-19-2015 11:49 AM

Hi Everyone,

I have a problem to collect Syslogs for VMWare 5.5 on Splunk 6.2.1 that is installed in a Linux Virtual Machine (ElementaryOS version 0.2.1).

So, I executed the steps on the tutorials below:
1) http://wiki.splunk.com/Community:VMwareESXSyslog
2) http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=200332...

However, I am always having the same problem.

THE LOGS ARE NOT TRANSMITTED IN ANYWAY TO SPLUNK 6.2.1.

Someone's been through a similar situation and could help me?

0 Karma
Reply

belka
Path Finder
‎09-08-2015 02:13 AM

I ran into this problem.

I installed the DCN, the connections all checked out green, and I was ready to go. I did a search and my VMwre app dashboard all came up with data. Brillant, so far.

The Data Collection Node (DCN) that comes with Splunk has a 5GB disk. The default for for the dispatcher for doing searches is 5GB. What happened to me is that the VMware app came up, populated the dashboards, and then never collected another thing. The reason, revealed by tailing the splunkd.log file on the DCN is that there was not enough space on the virtual disk drive on the DCN VM. I solved it by having the VM admin up the space available to $SPLUNK_HOME directory on the DCN. Ultimately, I rolled my own DCN because the VMWare schema couldn't (or wouldn't) grow the VM directory. Splunk was in /home/splunk vice /opt/splunk. oh well.

The other possible solution is to change the minimum disk space required for the dispatcher in Splunk when conduction searches. You could lower it to 2 GB and then start getting search data back. If you problem is similar to the one I encountered, this might help.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...