icon/x Created with Sketch.

Splunk Cookie Policy

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website. Learn more (including how to update your settings) here.
Accept Cookie Policy

Accept License Agreements

This app is provided by a third party and your right to use the app is in accordance with the license provided by that third-party licensor. Splunk is not responsible for any third-party apps and does not provide any warranty or support. If you have any questions, complaints or claims with respect to this app, please contact the licensor directly.

Thank You

Downloading Dell EMC PowerMax App For Splunk Enterprise
SHA256 checksum (dell-emc-powermax-app-for-splunk-enterprise_201.tgz) c0674883c194742d5e0157944df6f933a556c6cd9de9a205a712a12a9859a5f0 SHA256 checksum (dell-emc-powermax-app-for-splunk-enterprise_10.tgz) e64afdb48c305d051a18daf3c768feae170f92eac528d4579b15819528a9d05a
To install your download
For instructions specific to your download, click the Details tab after closing this window.

Flag As Inappropriate

Dell EMC PowerMax App For Splunk Enterprise

Splunk AppInspect Passed
Admins: Please read about Splunk Enterprise 8.0 and the Python 2.7 end-of-life changes and impact on apps and upgradeshere.
The Splunk App for Dell EMC VMAX/PowerMax allows a Splunk' Enterprise administrator to take inventory, performance information, and summary information from VMAX storage arrays through the VMAX/PowerMax Technical Add-on (TA) and present them in pre-built dashboards, tables and time charts for in-depth analysis and drill-downs to event.


-Title: Dell EMC VMAX App for Splunk Enterprise
-App-on Version: 2.0.1
-Document Version: 2.0.0
-Date: 31st January 2018
-Vendor Products: Dell EMC VMAX3 and VMAX All-Flash
-Visible in Splunk Web: Yes

SECURITY NOTICE - It has been brought to my attention that there is a known bug in the Splunk platform with adding data inputs through Settings>Data Inputs and passwords being saved in clear text. -DO NOT ADD VMAX INPUTS VIA THE SPLUNK DATA INPUTS PAGE-ADD THROUGH THE VMAX ADD-ON DASHBOARD MENU ITEM-


For any and all issues or queries, please contact vmax.splunk.support@emc.com.
Include as much information as possible about the issue, the Operating System
and Splunk versions, and associated log files.

-Response Time: Within 48hrs
-How we track issues: Internal Bug tracking system

Hours of Operation & Holidays Observed 2018

All times are specific to Ireland (GMT+00:00)

Working Hours:
Monday : 09:00 - 17:00
Tuesday : 09:00 - 17:00
Wednesday : 09:00 - 17:00
Thursday : 09:00 - 17:00
Friday : 09:00 - 16:00
Saturday : Closed
Sunday : Closed

Holidays Observed 2018:
Date Weekday Holiday Name Holiday Type
Jan 1 Monday New Year's Day National holiday
Mar 19 Monday St. Patrick's Day Observance
Mar 30 Friday Good Friday Observance
Apr 1 Sunday Easter Observance
Apr 2 Monday Easter Monday National holiday
May 7 Monday May Day National holiday
Jun 4 Monday June Bank Holiday National holiday
Aug 6 Monday August Bank Holiday National holiday
Oct 29 Monday October Bank Holiday National holiday
Dec 24 Monday Christmas Eve Observance
Dec 25 Tuesday Christmas Day National holiday
Dec 26 Wednesday St. Stephen's Day National holiday
Dec 31 Monday New Year's Eve Observance

About the VMAX Add-on for Splunk Enterprise

The Splunk App for Dell EMC VMAX allows a Splunk' Enterprise administrator to
take inventory, performance information, and summary information from VMAX
storage arrays through the VMAX Technical Add-on (TA) and present them in
pre-built dashboards, tables and time charts for in-depth analysis and
drill-downs to event.

Download the Splunk App for Dell EMC VMAX from Splunkbase.

Release Notes

Version 2.0.1 of the VMAX App is compatible with:
-Splunk Platform: 6.4 and above
-CIM: 4.6 and above
-OS Platforms: Splunk compatible platforms
-Vendor Hardware: Dell EMC VMAX3 and VMAX All-Flash
-Vendor Software: Solutions Enabler and newer
Unisphere for VMAX and newer

The VMAX App for Splunk Enterprise contains dashboards which present data
captured from the following VMAX TA reporting levels:
-VMAX (array level)
-VMAX System Alerts
-Storage Resource Pool
-Storage Group
-Director (FE/BE/RDF/IM/EDS)
-Port Group
-Workload Planner (Compliance/Head room)

VMAX App for Splunk Requirements and Considerations

-Splunk Administrator Requirements
To install and configure the Splunk VMAX App, you must have admin privileges.

-Hardware & Software
As this app runs on Splunk Enterprise, all Splunk Enterprise system requirements
apply. In order for the Splunk app for VMAX to work correctly, the VMAX TA must
also be installed and configured in the environment in-advance of installing the
VMAX app. Install the VMAX app on search heads so it can run queries on the
indexes defined in the VMAX TA which contain the VMAX event data.

The VMAX App uses Splunk macros to shorten lengthy and frequent search queries.
By default, these queries use the Splunk default index as configured by the
user, typically this is the 'main' index but can be changed. If you store your
VMAX event data in a different index from the default index, or have distributed
your VMAX data across multiple indexes, you will need to configure these macros
to use the correct indexes in order for the app dashboards to work as intended.

Installation and Configuration Overview for the VMAX App for Splunk

As there are no dependencies required for the installation of the VMAX App for
Splunk, the set-up is completed from the Splunk Web UI and, if required,
associated VMAX App macro configuration file.

  1. From your Splunk home screen, click the cog icon beside 'Apps' to navigate to
    the 'Manage Apps' section.

  2. Within the 'Manage Apps' section, click the button 'Install App from file'.

  3. Click 'Choose File', select the VMAX App for Splunk, and click 'Upload'.

  4. (OPTIONAL) If you have configured the VMAX TA for Splunk to index event data
    in an index other than the default index you will need to reconfigure the VMAX
    App macro configuration. Navigate to the installation directory of the VMAX App
    for Splunk which contains all default configuration files:

cd {splunk_dir}/etc/apps/Dell-EMC-app-VMAX/default

Copy macros.conf to the local directory in the App installation directory:

cp macros.conf {splunk_dir}/etc/apps/Dell-EMC-app-VMAX/local

Edit the newly copied macros.conf so that each 'index=' key/value pair
represents the indexes in use in your environment. Each reporting level ingested
by the VMAX TA corresponds to a macro in macros.conf, so you will be able to set
different indexes for array level, host level, or alert level metrics for

definition = index=main sourcetype=dellemc:vmax:rest reporting_level="Array"
definition = index=vmax_array sourcetype=dellemc:vmax:rest reporting_level="Array"

Once all the macros have been updated to reflect the indexes in use, save the
file and return to Splunk UI.

  1. Once the VMAX App is added to Splunk you will be not be prompted to restart
    Splunk to complete the installation, but it is advisable to restart Splunk
    before using the App and also to apply any optional changes made in step 4.
    Navigate to 'Settings > Server Controls', and click 'Restart now'. When Splunk
    restarts, navigate back to the home screen and you will now see a dashboard
    panel for the VMAX App.

VMAX App Usage & Navigation

Navigating throughout the VMAX App is done entirely through the menu featured at
the top of the screen when you open the VMAX App.

By default, the drop-down boxes in each dashboard will feature all the objects
available at that reporting level through the 'ALL' option. You can drill down
further by array ID and more depending on the dashboard you are within.

The default time-range for each dashboard time chart is last 24 hours. This time
can be changed by changing the time settings under 'Time Frame'. It works the
same as all other Splunk time range pickers.

It is important to note that not all panels within each dashboard are set to
represent data from the last 24 hours, most are set to present the most recent
and up to date information to the user. As a rule of thumb, only time charts in
the VMAX App dashboards reflect data from the time range specified in the time
range picker. All other panels, such as tables, single number panels, pie
charts etc., all represent the most-recent information up-to-date from the most
recent VMAX event data. If there is an issue with data collection and the data
is older than 10minutes old some of the panels may display a 'No Results Found'
message. To check this, check your VMAX TA logs to determine if data is still
being collected by the VMAX TA.

Source Type for the VMAX Add-on for Splunk

The VMAX TA provides the index-time and search-time knowledge for inventory,
performance metrics, and summary information. By default, all VMAX data is
indexed into the default Splunk index, this is the ‘main’ index unless changed
by the admin.

The source type used for the Splunk Add-on for VMAX is dellemc:vmax:rest. All
events are in key/value pair formats. All events have an assigned
'reporting_level' which indicates the level at which the event details, along with
the associated VMAX array ID & if reporting at lower levels, the object ID e.g.
Storage Group, Director, Host.

The add-on collects many different kinds of events for VMAX, including
performance, inventory, and summary metrics. Depending on the activity of the
Port Groups & Initiators in your environment, there may be events where there
are no performance metrics collected. This can be confirmed if there is a metric
present in the event named {reporting_level}_perf_details with a value of False
(where reporting_level is the reporting level of the event itself). For more
information see the section ‘Active vs. Inactive Object Performance Reporting’.

Active vs. Inactive Object Performance Reporting

To limit the amount of data collected and stored on a VMAX, only active Port
Groups, Hosts, and Initiators are reported against for performance metrics.
Inactivity is determined by no activity being recorded by performance monitors
for a specified amount of time. The VMAX TA ingests a wide range of metrics
across each of the reporting levels. To get detailed definitions of each of the
performance metrics see the ‘Performance Management’ section of the
‘Unisphere 8.4 Online Help’ guide available on support.emc.com

This is not enforced by Splunk but is the behaviour of the VMAX, recording zero
values for every Port Group, Host, and Initiator in an environment would very
quickly fill databases with useless data.

When the VMAX TA is collecting information on the Port Groups, Hosts, or
Initiators in your environment, it will first obtain a list of all objects for
each reporting level. Using this list, calls will be to Unisphere for
performance metrics for each, if an object is inactive, no performance metrics
will be returned. This inactivity is reflected in the VMAX events through the
key/value pairs below.

{reporting_level}_perf_details: false
{reporting_level}_perf_message: No active {reporting_level} performance data

Troubleshooting the VMAX App for Splunk

The VMAX App for Splunk has been designed in such a way that there is little or
no user interaction required in order to get it running in the environment. The
only use-case for when manual configuration is required is when indexes are used
by the VMAX TA which differ from the default Splunk index (see installation &
configuration section above for more info).

If you are having issues with the macros in your VMAX App, check the indexes
configured for use by each of the VMAX TA data inputs, the indexes specified by
each input should match those used by the VMAX App in the macros.conf
configuration file. If these do match and everything appears to be correct,
restart Splunk to ensure that the changes have been applied and settings are
read from the VMAX App's local directory.

As the VMAX App only takes the data ingested by the VMAX TA and presents it in
dasboards populated with various panels, there is no other VMAX App settings or
areas which could cause issues to appear within the App. If you are facing any
issues in the VMAX App and the macros are configured correctly, the next place
to troubleshoot is in the VMAX TA itself. For information on troubleshooting the
VMAX TA, please see the 'Troubleshooting' section in the VMAX TA user-guide.

Known Issues

-VMAX Alerts
When requesting VMAX alert information from the Unisphere REST API through the
/system/alert endpoints there is no key/value pairs for the array and object ID.
When the event is processed in the VMAX TA, the alert description is parsed and
if an array or object ID is present, it is added before the data is indexed in
Splunk. At present, most information can be parsed from the description but this
does not always work.

An example of not being able to parse the array/object info from an alert is
with array metadata usage. Using the REST API there is no IDs associated with
the alert so unless the user reverts to Unisphere manually there is no way they
can know what array the alert belongs to.

The impact of this in the VMAX TA is that when 'Collect VMAX only metrics' is
enabled, certain alerts which do not have the array/object info in the alert
description will not be ingested into Splunk. This is because this option uses
the array ID key/value pair to determine if it is related to the VMAX ID
specified in the data input.

It must be noted however, that the data for which the alert describes can be
viewed within the various dashboards of the VMAX App for Splunk. For example,
the array metadata usage percentage is featured as a time chart in the VMAX
dashboard. This is because for each of the reporting levels, every possible
piece of information pertaining to each reporting levels' objects is retrieved
from Unisphere.

If 'Collect VMAX only metrics' is left disabled, all system alerts from the
instance of Unisphere specified in the VMAX data input will be ingested into
Splunk. This also means that any system alerts for other arrays which are not
added as data inputs, but present in that instance of Unisphere associated with
the data input are ingested into Splunk.


For any and all issues or queries, please contact vmax.splunk.support@emc.com.
Include as much information as possible about the issue, the Operating System
and Splunk versions, and associated log files listed in the troubleshooting

Release Notes

Version 2.0.1
Jan. 18, 2018

Version 1.0
Feb. 2, 2017

Initial Release

Please note that not all possible REST data endpoints are currently being collected by the VMAX TA. As new endpoints are added to TA, I will update app accordingly.


Subscribe Share

AppInspect Tooling

Splunk AppInspect evaluates Splunk apps against a set of Splunk-defined criteria to assess the validity and security of an app package and components.

Are you a developer?

As a Splunkbase app developer, you will have access to all Splunk development resources and receive a 10GB license to build an app that will help solve use cases for customers all over the world. Splunkbase has 1000+ apps and add-ons from Splunk, our partners and our community. Find an app or add-on for most any data source and user need, or simply create your own with help from our developer portal.

Follow Us:
© 2005-2021 Splunk Inc. All rights reserved.
Splunk®, Splunk>®, Listen to Your Data®, The Engine for Machine Data®, Hunk®, Splunk Cloud™, Splunk Light™, SPL™ and Splunk MINT™ are trademarks and registered trademarks of Splunk Inc. in the United States and other countries. All other brand names, product names, or trademarks belong to their respective owners.