Copyright  ©  2014  Splunk  Inc.  

Splunk  for  VMware  Architecture  &  Design    

Michael  Donnelly,  Sr.  Sales  Engineer  

Disclaimer  

2  

During  the  course  of  this  presentaEon,  we  may  make  forward  looking  statements  regarding  future  events  or  the  expected  performance  of  the  company.  We  cauEon  you  that  such  statements  reflect  our  current  expectaEons  and  

esEmates  based  on  factors  currently  known  to  us  and  that  actual  events  or  results  could  differ  materially.  For  important  factors  that  may  cause  actual  results  to  differ  from  those  contained  in  our  forward-­‐looking  statements,  

please  review  our  filings  with  the  SEC.  The  forward-­‐looking  statements  made  in  the  this  presentaEon  are  being  made  as  of  the  Eme  and  date  of  its  live  presentaEon.  If  reviewed  aQer  its  live  presentaEon,  this  presentaEon  may  not  contain  current  or  accurate  informaEon.  We  do  not  assume  any  obligaEon  to  update  any  forward  looking  statements  we  may  make.  In  addiEon,  any  informaEon  about  our  roadmap  outlines  our  general  product  direcEon  and  is  subject  to  change  at  any  Eme  without  noEce.  It  is  for  informaEonal  purposes  only  and  shall  not,  be  incorporated  into  any  contract  or  other  commitment.  Splunk  undertakes  no  obligaEon  either  to  develop  the  features  or  funcEonality  described  or  to  

include  any  such  feature  or  funcEonality  in  a  future  release.  

Splunk  for  VirtualizaEon  Prep  quesEons  for  today’s  discussion:    Your  Physical  VMware  environment:  –  ESXi  servers,  vCenter  servers  –  Storage  soluEons  Eed  to  VMware  –  Network  devices    What  are  the  problems  you  are  hoping  to  solve?      Which  groups  are  affected?    Are  you  familiar  with  Splunk  already?  What  do  you  use  Splunk  for  today?    

 

3  

Splunk  Enterprise  6  

4  

Alerts  Messages   Metrics   Changes  Scripts  ConfiguraEons  Log  Files  

Indexes  Any  Data  from  Any  Source    

Databases  Networks   Servers   Virtual  Machines  

Smartphones  and  Devices  

Custom  ApplicaEons  Security  

Tickets  

Web  Server  Sensors  

Splunk  Enterprise  6  

5  

IT  users     Data    Analysts    

Security  Analysts    

Business  Users    

Databases  Networks   Servers   Web  Services  

Smartphones  and  Devices  

Custom  ApplicaEons  Security  

Any  Machine  Data  

VMware  Admins  

App  Developers  

Industry  Leading  Placorm  for  Machine  Data  

6  

Any  Machine  Data   Opera9onal  Intelligence  

HA  Indexes  and  Storage  

Search  and  Inves9ga9on  

Proac9ve  Monitoring  

Opera9onal  Visibility  

Real-­‐9me  Business  Insights  

Commodity  Servers  

Online  Services   Web  

Services  

Servers  Security   GPS  

LocaEon  

Storage  Desktops  

Networks  

Packaged  ApplicaEons  

Custom  ApplicaEons  Messaging  

Telecoms  Online  

Shopping  Cart  

Web  Clickstreams  

Databases  

Energy  Meters  

Call  Detail  Records  

Smartphones  and  Devices  

RFID  

OpEmal  VirtualizaEon  

At  Splunk,  we  know  that  our  customers  want  to  maximize  the  usability  of  their  investment  into  their  virtualized  environments.    In  order  to  get  the  best  return  on  your  Virtualiza@on  investments,  you  need  to  u@lize  your  available  resources  op@mally.    To  do  this,  one  must  know  which  servers  are  overtaxed,  which  are  underu@lized.    One  must  be  proac@ve  about  the  known  and  hidden  risks  that  are  oCen  present  when  virtualizing  the  environment.         7  

Key  Benefits  

8  

   

Reduce  MTTR  

Eliminate  silos  –  gain  visibility  into  virtualizaEon  health  in  relaEon  to  applicaEons,  

storage,  operaEng  systems,  networks  and  other  

infrastructure  components      

Maximize  ROI  

Improve  infrastructure  uElizaEon  efficiencies  and  

avoid  over-­‐provisioning  with  granular  insights  into  resource  consumpEon  

   

Reduce  Costs  

Reclaim  and  reuse  unused  resources  aQer  they  are  no  longer  needed  avoiding  a  virtual  sprawl  with  detailed  analysis  on  your  virtual  

assets  

“  I  now  have  built-­‐in  visibility  into  latencies  caused  by  my  storage  and  

impact  to  the  applicaEon  performance”  

“I  can  see  how  my  workloads  are  using  my  vCPUs  and  RAM,  thus  avoiding  high  CPU  wait  Emes  and  opEmized  resource  uElizaEon.”  

“We’ve  recycled  inacEve  and  abandoned  VMs  and  avoided  capital  

expenditure.”  

Virtual  Datacenter  Point  SoluEons  Too  much  complexity,  too  limle  visibility  

Performance  data  and  summaries  are  not  enough  • VM  tools  keep  summarized  metrics,  make  it  hard  to  idenEfy  specific  problems  • VM  Tools  look  at  performance,  but  ignore  log  events  

VMware  environment  data  alone  isn’t  enough  • Solving  end-­‐user  or  applicaEon-­‐level  problems  requires  visibility  across  technology  Eers,  including  OS  and  ApplicaEon  data  

Point  soluEons  offer  only  one  piece  of  the  puzzle  • Maintaining  OperaEonal  Health  includes  other  dependencies:  Storage,  Network,  DNS,  DHCP,  Firewall,  Routers,  etc.  

• Maintaining  mulEple  point  soluEons:  increased  costs,  correlaEons  by  hand  

9  

10  

Typical  Splunk  Deployment  

SAN  &  NAS  

Splunk  Environment    

Network  Infrastructure  

AcEve    Directory  

Virtual  Servers:    Web,  middleware,  apps    

CriEcal  Infrastructure  

Servers  Networking  

11  

vCenter  Server  

ESXi  Hosts  

Your  Physical  VMware  Environment  

VMware  environment  

SAN  &  NAS  

Splunk  Environment    

Network  Infrastructure  

AcEve    Directory  

Virtual  Servers:    Web,  middleware,  apps    

CriEcal  Infrastructure  

Servers  Networking  

12  

vCenter  Server  

ESXi  Hosts  

Your  Actual  Physical  VMware  Environment  

VMware  environment  

SAN  &  NAS  

Splunk  Environment    

Network  Infrastructure  

AcEve    Directory  

Virtual  Servers:    Web,  middleware,  apps    

CriEcal  Infrastructure  

Servers  Networking  

13  

vCenter  Server  

ESXi  Hosts  

Your  Full  VMware  Environment  

VMware  environment  

SAN  &  NAS  

Splunk  Environment    

Network  Infrastructure  

AcEve    Directory  

Virtual  Servers:    Web,  middleware,  apps    

CriEcal  Infrastructure  

Servers  Networking  

Demo  

14  

Integrated  Insights  Into  Your  VMware  Environment  

15  

Proac9ve  Monitoring  

Comprehensive  Analy9cs    

End-­‐to-­‐end  Visibility    

APP  

OS  

VMware  vSphere  

Physical  Layer  

Servers  Storage   Network  Devices  

VMware  vCenter  Server(VC)  

APP  

OS  VM   VM  

Report  

Correlate  

Monitor  

Explore  

Real-­‐@me  ac@onable  insights  into  problem  spots  and  health  issues    

Real-­‐@me  and  historical  insights  into  performance,  security,  capacity,  forecas@ng,  outlier  detec@on  and  change  tracking  

Scalable  big  data  solu@on  for  holis@c  visibility  across  all  technology  @ers    

16  

vCenter  Server  

ESXi  Hosts  

Splunk  for  VMware  Architecture  

Physical  VMware  environment  

Splunk  DCN  

SAN  &  NAS  

Splunk  Environment    

Network  Infrastructure  

Performance  (API)  

AcEve    Directory  

CriEcal  Infrastructure  

Servers  Networking  

vCenter  Logs  

ESXi  logs  

THANK  YOU  Thank  You  

Deployment  Details  

19  

vCenter  Server  

ESXi  Hosts  

Splunk  for  VMware  –  Required  ConnecEvity  

Physical  VMware  environment  

SAN  &  NAS  

Splunk  Environment    

API:  TCP  443  

Networking  

TCP  8089  &  8008  

TCP  9997  

vCenter  Logs:  TCP  9997  

Syslog:    TCP  1514  UDP  514  

TCP  9997  

DCN  

Syslog  Server  

TCP  443  

Deployment  notes  

•  All  of  the  ports  menEoned  in  the  previous  slide  are  the  default  ports;  Splunk  can  be  adapted  to  use  alternates.  

•  If  you’re  using  search  head  pooling  –  there  are  addiEonal  details  covered  in  the  installaEon  guide.    You  must  use  a  dedicated  search  head  (not  pooled)  to  act  as  the  Data  CollecEon  Scheduler.  

•  During  installaEon,  the  DCN  will  be  configured  either  by  SSH  or  remote  console  access;  addiEonal  configuraEon  is  done  via  the  Splunk  web  UI  on  TCP  port  8000.    Ensure  that  access  by  SSH/8000  or  by  CLI  via  console  will  be  possible.  

   

20