Configure the Kepware IoT Gateway for Splunk to send data to Splunk IAI
The IoT Gateway for KEPServerEX plug-in provides agents to stream real-time data over HTTP to Splunk Industrial Asset Intelligence (IAI). If you have this plug-in, you can use it to format your data for use in Splunk IAI and send it to a Splunk heavy forwarder that is set up to receive HTTP streaming input.
Prerequisites
- A KEPServerEX with the IoT Gateway plug-in installed.
- At least one index configured to store the metrics data you receive from Kepware. If you need to create a new index, see Create metrics indexes in Managing Indexers and Clusters of Indexers in the Splunk Enterprise documentation.
- A Splunk Enterprise instance configured as a heavy forwarder that sends data to your indexers. For instructions on configuring a heavy forwarder, see Deploy a heavy forwarder in the Splunk Enterprise Forwarding Data manual.
To complete this procedure, you must either be a Splunk Enterprise administrator or you must have the edit_token_http
and edit_sourcetypes
capabilities and have permission to search the metrics indexes that your Splunk Enterprise administrator created for the purpose of storing your data from Kepware.
Steps
- Configure a Splunk heavy forwarder to collect data from Kepware.
- Configure the Kepware IoT Gateway to format and stream data to your Splunk heavy forwarder.
- Verify that your data is coming in as expected.
Configure a Splunk heavy forwarder to collect data from Kepware
- On your heavy forwarder, go to Settings > Data inputs.
- Click HTTP Event Collector, and then click Global Settings.
- Next to All Tokens, click Enabled, and then click Save.
- Click New Token.
- Enter a Name for your HTTP input, and then click Next.
- On the Input Settings page, click New next to Source type to enter a new source type for your data from Kepware.
- For Source Type Category, select Metrics.
- Next to Select Allowed Indexes, click the name of a metrics index where you want to store your data from the IoT Gateway for KEPServerEX.
- Click Review, and then click Submit.
- Save the token that Splunk Web provides. You need this token when you configure IoT Gateway for KEPServerEX.
- If you want to split the data that you collect into separate indexes, repeat these steps to create multiple tokens, each configured to send data to a separate index.
Configure the Kepware IoT Gateway to format and stream data to your Splunk heavy forwarder
Configure an agent in the Kepware IoT Gateway to publish data to the HTTP event collector on your Splunk heavy forwarder. For instructions on configuring an agent, go to the Kepware website and search for "IoT Gateway manual."
When prompted during the configuration, enter the following information:
Field in Kepware IoT Gateway | Value |
---|---|
Agent Type | REST Client |
URL | http://<IP address of your Splunk heavy forwarder>:8088/services/collector
|
Header | Authorization: Splunk <HTTP event collector token>
|
Message Format | Advanced Template |
Template | [|#each VALUES|{"time": TIMESTAMP|,"event":"metric","source":"iot_gateway","host":"kepware","fields":{"_value":|VALUE|,"metric_name":"|TAGNAME|"}}|#unless @last|,|/unless||/each|] |
In the Template field, do not include any spaces or line breaks.
If you want to send data to multiple indexes, configure one agent for each index to which you want to send data, matching the token in the agent Header field to the token that you configured for each HTTP event collector input.
Verify that your data is coming in as expected
To test that data ingestion is working, go to your search head and run this search:
| mstats avg(_value) as Value WHERE index=<Your Index> metric_name=* by metric_name asset
If you do not see data, check that the following are true:
- There are no errors in the Kepware event logs regarding your IoT Gateway agent configuration.
- Your Template field contains no spaces or line breaks.
- Your user has permission to search the index you specified for your data from Kepware.
- You have correctly configured forwarding and receiving between your heavy forwarder and indexers.
Configure the Kepware IDF for Splunk to send data to Splunk IAI | Advanced methods for getting data in to Splunk IAI |
This documentation applies to the following versions of Splunk® Industrial Asset Intelligence (Legacy): 1.1.0, 1.1.1, 1.2.1, 1.2.2, 1.3.0
Feedback submitted, thanks!