Configure the Kepware IDF for Splunk to send data to Splunk IAI

Kepware's Industrial Data Forwarder (IDF) for Splunk streams real-time data from KEPServerEX into the Splunk platform over TCP. If you have this plug-in, you can use it to send your data to a Splunk forwarder listening on a TCP port, and then apply the Kepware IDF to Metrics Index Add-on for Splunk to prepare your data for use in Splunk Industrial Asset Intelligence.

Prerequisites

• A KEPServerEX with the Industrial Data Forwarder for Splunk plug-in installed.
• At least one index configured to store the metrics data you receive from Kepware. If you need to create a new index, see Create metrics indexes in Managing Indexers and Clusters of Indexers in the Splunk Enterprise documentation.
• A Splunk universal forwarder, installed on the same server as your KEPServerEX and configured to send data to your indexers. See How to forward data to Splunk Enterprise for information on how to deploy the forwarder and configure your indexers to receive data from it.

To complete this procedure, you must be either a Splunk Enterprise administrator or a Splunk Industrial Asset Intelligence (IAI) administrator who has the edit_tcp and edit_sourcetypes capabilities. You must also have permission to search the metrics indexes that your Splunk Enterprise administrator created for the purpose of storing your data from Kepware.

Steps

1. Install the Kepware IDF to Metrics Index Add-on for Splunk.
2. Configure a Splunk universal forwarder to collect data from Kepware.
3. Configure the IDF to send data to your Splunk universal forwarder.
4. Verify that your data is coming in as expected.

Install the Kepware IDF to Metrics Index Add-on for Splunk

Download the Kepware IDF to Metrics Index Add-on for Splunk from Splunkbase. This add-on applies parsing and index-time transformations to your data to prepare it for use in Splunk IAI.

In a distributed environment, install this add-on to the universal forwarder you plan to use to collect your Kepware data, your indexers, and your search heads.

For step-by-step installation instructions, see Install an add-on in a distributed Splunk Enterprise deployment.

Configure a Splunk universal forwarder to collect data from Kepware

1. Access the universal forwarder.
2. Create a new inputs.conf file in %SPLUNK_HOME%\etc\apps\TA-kepware-to-metrics\local.
3. Write an input stanza using the following template:

   [tcp://localhost:<port on which to receive TCP input from KEPServerEX>]
   index = <the metrics index where you want to store data from Kepware>
   sourcetype = kepware:IDF
   

   If you want to divide data into separate indexes, set up a unique TCP input stanza for each index, each listening on a different port.
4. Save the file.
5. Restart the forwarder.

Configure the IDF to send data to your Splunk universal forwarder

Configure the Kepware IDF to forward the data you want to send to the TCP port you specified for the input. If you created separate input stanzas to send data to different indexes, create an IDF for Splunk connection for each input stanza, matching the port in the connection to the port that you configured in the input stanza.

For instructions on how to configure Kepware IDF, go to the Kepware website and search for "Industrial Data Forwarder for Splunk manual".

Verify that your data is coming in as expected

To test that data ingestion is working, go to your search head and run this search:

| mstats avg(_value) as Value WHERE index=<Your Index> metric_name=* by metric_name asset

If you do not see data, check that the following are true:

• Your user has permission to search the index you specified for your data from Kepware.
• You restarted your universal forwarder after you created the TCP input.
• You correctly configured forwarding and receiving between your universal forwarder and indexers.