Splunk add-on and Splunk app use the organization’s Splunk infrastructure to process logs and events sent from NSX Advanced Load Balancer and automatically selects and identifies the tag fields. The dashboards are used to display this information in an easily consumable format.

Supported Versions

NSX Advanced Load Balancer

Starting NSX Advanced Load Balancer release 17.2.1

Recommended version 17.2.8

Splunk

7.0+

Deployment Recommendations

NSX Advanced Load Balancer Networks Splunk App

Splunk search heads

NSX Advanced Load Balancer Networks Splunk Add-on

Splunk search heads

Splunk indexers

Splunk heavy forwarders

NSX Advanced Load Balancer Metrics Scripted Input

Splunk heavy forwarder (option A: if one exists)

Splunk search head (option B)


Splunk Add-on

The Splunk add-on dynamically assigns sourcetype. It provides the inline field extractions to normalize queries across different data formats and provide CIM compliant aliases. The add-on includes the NSX Advanced Load Balancer metrics that is scripted to pull performance metrics using the REST API.

The NSX Advanced Load Balancer add-on for Splunk assigns a sourcetype to all events, virtual service client logs, and performance metrics upon indexing. The sourcetypes used are:

  • avi:events

  • avi:logs

  • avi:metrics

You can download the add-on from the Splunk website.

NSX Advanced Load Balancer Metrics Scripted Input Setup

The metrics scripted input setup for NSX Advanced Load Balancer is included with the add-on. The scripted input is used to pull performance metrics from the NSX Advanced Load Balancer API.

  1. To run the metrics scripted input on the desired host, navigate to Settings > Data Inputs.



  2. Select Add new for the Avi Metrics input.



  3. Fill in the information for the Controller Cluster that you would like to pull performance metrics from and click Next to finish.

    1. Name – Soft label used to describe the Controller cluster

    2. Avi Controller – The IP or name of the Controller cluster

    3. Avi User – Login used to pull metrics from the API

    4. Avi Password – Password used for authenticating the user

    5. Interval – Time interval for pulling metrics. The default is 5 minutes



Splunk App

Note:

Splunk app requires the splunk add-on.

The Splunk app provides dashboards to visually display logs, events, and performance metrics.

The dashboards are created to display data from NSX Advanced Load Balancer. At a single glance, you will be able to determine the details of all configuration changes. It provides information about the client browsers and web resources that are commonly accessed. Using NSX Advanced Load Balancer iWAF visibility, you will be able to quickly determine the most common attacks, along with their source, time, and date of occurrence.

You can download the app from the Splunk website.

NSX Advanced Load Balancer Data

The following data can serve as data inputs for Splunk:

  1. Events

  2. Virtual service logs

  3. Performance metrics

Events

Events are used as an audit trail to determine what happened when. Occurrences such as user logins, configuration changes, and runtime state changes are all tracked as events.

Getting events into Splunk requires configuration changes on the Controller. To forward NSX Advanced Load Balancer events to Splunk, configure your alert actions within the NSX Advanced Load Balancer Controller to send syslog messages with your Splunk infrastructure as the destination endpoint.

For more information on events and alerts in NSX Advanced Load Balancer, see topics Alerts Overview, Alert Actions and Types of Notifications in the VMware NSX Advanced Load Balancer Monitoring and Operability Guide.

Virtual Service Logs

Virtual service logs provide realtime information about Layer 7 application data for each request. The logs are sent as a JSON payload over UDP.

Getting virtual service logs into Splunk requires configuration changes on the NSX Advanced Load Balancer Controller. To forward NSX Advanced Load Balancer virtual service logs to Splunk, configure your analytics profile to stream to an external server with your Splunk infrastructure as the server endpoint.

For more information on virtual service logs in NSX Advanced Load Balancer, see the following resources:

  • Virtual Service Application Logs topic in the VMware NSX Advanced Load Balancer Monitoring and Operability Guide.

  • Streaming NSX Advanced Load Balancer Client Logs to an External Server topic in the VMware NSX Advanced Load Balancer Monitoring and Operability Guide.

Performance Metrics

The NSX Advanced Load Balancer provides over more than 200 metrics that allow you to monitor the performance and provides granular visibility for specific applications and backend pool servers.

A scripted data input named NSX Advanced Load Balancer metrics is included with the Splunk app. The NSX Advanced Load Balancer metrics data input will connect to the specified NSX Advanced Load Balancer Controller through the REST API and will retrieve the performance metrics. To forward the performance metrics to Splunk, add a new entry within the NSX Advanced Load Balancer metrics data input specifying the NSX Advanced Load Balancer Controller cluster and relevant credentials. The default interval to run the scripted input is 5 minutes.

For more information on NSX Advanced Load Balancer metrics, see Metrics topic in the VMware NSX Advanced Load Balancer Monitoring and Operability Guide.