News: Splunk Releases Splunk App for VMware – More than just Logs

Today, Splunk has announced the general availability of the Splunk App for VMware. Splunk and Cloudshare have also announced that they will be presenting a session at VMworld, “How a Cloud Computing Provider Reached the Holy Grail of Visibility” which will take place Wednesday, Aug. 29 from 4 – 5 p.m. (PT).  This session will highlight one of the key new features of the new Spunk App for VMware – the ability to collect cross tier and cross silo data, and demonstrates an important shift in Splunk’s strategy.

The Old Splunk – Log Analysis

Splunk made its name by popularizing and making easily accessible analysis of logs from a variety of sources. By indexing those logs on the basis of their time stamp and other identifiable information, it was possible to turn these logs into rich sources of analysis for system and application behavior. Splunk built out this log analysis strategy by building collectors for an astonishing variety of log sources (see the diagram below).

Hundreds of Splunk Apps offering solutions to easily harness machine data across your IT stack (click on image to zoom in)

The New Splunk App for VMware – Physical and Virtual Operations Management

The Spunk App for VMware is significant not only in that it collects log data from vSphere. It is significant in several other respects as well:

  • The Spunk App for VMware does not collect its data in 5 minute intervals from the vCenter API’s as do many other Operations Management products in the VMware environment. The Spunk App for VMware collects its data directly from each vSphere host on 20 second intervals. This means that the Spunk App for VMware gets the exact same raw data that vCenter gets, and the exact interval that vCenter gets it. The only other vendor that operate at this level of data granularity and frequency is Reflex Systems.
  • The Splunk App for VMware collects more than just the log data from the vSphere hosts. It collects all of the normal resource utilization data that vCenter collects (and passes along to vCenter Operations) as well.
VM Architecture
Harnessing VMware data for troubleshooting, analytics and virtualization intelligence using Splunk App for VMware (click image to zoom)

Since the Spunk App for VMware is simply an addition to the existing set of data collectors for Splunk, it is useful to look at the picture in its totality. If we combine the data the Splunk can get from the physical infrastructure (and from non-virtualized physical systems) with the data from the virtualization layer (vSphere), and from many applications layer products as well (WebSphere), Splunk is now arguably in the position of having one of the richest depositories of operational data around.

This fact was probably not lost on VMware, who has seen this coming for a long time, and who reacted last week by acquiring the product assets and team for Log Insight from Pattern Insight. This means that we should probably expect log data from Log Insight to become a feature of a future release of vCenter Operations.

The New Bar in Operations Management

These actions by both Splunk and VMware raise the bar in operations management. The diversity of data collected is increasing rapidly. The frequency with which it is being collected in increasing rapidly. Splunk will hang its hat on being able to use its analytics to automate the interpretation of this stream of diverse data for its customers. VMware will likely rely upon the self-learning analytics in vCenter Operations to do the same. The ecosystem will be forced to partner up or acquire adjacent capabilities to compete in what is rapidly becoming an Operations Management Suite game.


The new Splunk App for VMware adds a significant new capability to the Splunk offerings, opens a new Operations Management frontier for Splunk and creates a new standard for functionality in the Operations Management space.

Posted in IT as a Service, SecurityTagged