Splunk® Industrial Asset Intelligence (Legacy)

Administer Splunk Industrial Asset Intelligence

Splunk Industrial Asset Intelligence reached its End of Sale on February 24, 2020.

Configure the Kepware IoT Gateway for Splunk to send data to Splunk IAI

The IoT Gateway for KEPServerEX plug-in provides agents to stream real-time data over HTTP to Splunk Industrial Asset Intelligence (IAI). If you have this plug-in, you can use it to format your data for use in Splunk IAI and send it to a Splunk heavy forwarder that is set up to receive HTTP streaming input.


  • A KEPServerEX with the IoT Gateway plug-in installed.
  • At least one index configured to store the metrics data you receive from Kepware. If you need to create a new index, see Create metrics indexes in Managing Indexers and Clusters of Indexers in the Splunk Enterprise documentation.
  • A Splunk Enterprise instance configured as a heavy forwarder that sends data to your indexers. For instructions on configuring a heavy forwarder, see Deploy a heavy forwarder in the Splunk Enterprise Forwarding Data manual.

To complete this procedure, you must either be a Splunk Enterprise administrator or you must have the edit_token_http and edit_sourcetypes capabilities and have permission to search the metrics indexes that your Splunk Enterprise administrator created for the purpose of storing your data from Kepware.


  1. Configure a Splunk heavy forwarder to collect data from Kepware.
  2. Configure the Kepware IoT Gateway to format and stream data to your Splunk heavy forwarder.
  3. Verify that your data is coming in as expected.

Configure a Splunk heavy forwarder to collect data from Kepware

  1. On your heavy forwarder, go to Settings > Data inputs.
  2. Click HTTP Event Collector, and then click Global Settings.
  3. Next to All Tokens, click Enabled, and then click Save.
  4. Click New Token.
  5. Enter a Name for your HTTP input, and then click Next.
  6. On the Input Settings page, click New next to Source type to enter a new source type for your data from Kepware.
  7. For Source Type Category, select Metrics.
  8. Next to Select Allowed Indexes, click the name of a metrics index where you want to store your data from the IoT Gateway for KEPServerEX.
  9. Click Review, and then click Submit.
  10. Save the token that Splunk Web provides. You need this token when you configure IoT Gateway for KEPServerEX.
  11. If you want to split the data that you collect into separate indexes, repeat these steps to create multiple tokens, each configured to send data to a separate index.

Configure the Kepware IoT Gateway to format and stream data to your Splunk heavy forwarder

Configure an agent in the Kepware IoT Gateway to publish data to the HTTP event collector on your Splunk heavy forwarder. For instructions on configuring an agent, go to the Kepware website and search for "IoT Gateway manual."

When prompted during the configuration, enter the following information:

Field in Kepware IoT Gateway Value
Agent Type REST Client
URL http://<IP address of your Splunk heavy forwarder>:8088/services/collector
Header Authorization: Splunk <HTTP event collector token>
Message Format Advanced Template
[|#each VALUES|{"time": TIMESTAMP|,"event":"metric","source":"iot_gateway","host":"kepware","fields":{"_value":|VALUE|,"metric_name":"|TAGNAME|"}}|#unless @last|,|/unless||/each|]

In the Template field, do not include any spaces or line breaks.

If you want to send data to multiple indexes, configure one agent for each index to which you want to send data, matching the token in the agent Header field to the token that you configured for each HTTP event collector input.

Verify that your data is coming in as expected

To test that data ingestion is working, go to your search head and run this search:

| mstats avg(_value) as Value WHERE index=<Your Index> metric_name=* by metric_name asset

If you do not see data, check that the following are true:

  • There are no errors in the Kepware event logs regarding your IoT Gateway agent configuration.
  • Your Template field contains no spaces or line breaks.
  • Your user has permission to search the index you specified for your data from Kepware.
  • You have correctly configured forwarding and receiving between your heavy forwarder and indexers.
Last modified on 29 October, 2018
Configure the Kepware IDF for Splunk to send data to Splunk IAI   Advanced methods for getting data in to Splunk IAI

This documentation applies to the following versions of Splunk® Industrial Asset Intelligence (Legacy): 1.1.0, 1.1.1, 1.2.1, 1.2.2, 1.3.0

Was this topic useful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters