- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Output SmartThings Logs to HTTP Event Collector
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I've been working on modifying this code here
https://github.com/TheFuzz4/SmartThingsSplunkLogger/blob/master/splunklogger.groovy
I want it to send the json objects off to Splunk. This is for smartthings.
I finally got it to hit my splunk server but now I'm getting a 400 error when it hits the splunk server.
Here is a sample of the data that its sending to splunk
2:20:45 PM: debug [uri:http://mysplunkserver:8088/services/collector/event, headers:[Authorization:Splunk mysplunktoken], body:{"date":"Sat Feb 13 21:20:44 UTC 2016","name":"power","displayName":"Home Energy","device":"Home Energy","deviceId":"31ea905e-28d3-4779-a8b1-82bcd528c520","value":"2233","isStateChange":"true","id":"a4b491a0-d297-11e5-897c-22000bb6c3f8","description":"zw device: 0F, command: 3202, payload: 21 74 00 22 11 C0 00 00 00 00 00 00","descriptionText":"Total Power: 2233 Watts","installedSmartAppId":"null","isoDate":"2016-02-13T21:20:44.892Z","isDigital":"false","isPhysical":"false","location":"Home","locationId":"846d6e0a-dcc0-44e8-a09b-bac269bfa6c1","unit":"W","source":"DEVICE"}]
The original code was written for logstash so I've been working on it to get it modified for splunk but I'm not sure if the json just isn't being formatted correctly for splunk. Thank you all in advance for your help and once we can get this working properly it will make a lot of SmartThings users very happy.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @thefuzz4
First off, thanks for using HEC!
Looking at the example above, it does not appear to be in the proper format for our JSON Event protocol.
The format requires you to have a JSON envelope which contains within it an "event" field with the value being your payload. You should also include a epoch timestamp as HEC doesn't do timestamp extraction from the JSON. So looking at your example the JSON payload below in the curl I provided should work (assuming HEC is enabled). I tested this and it worked against my HEC instance.
curl -k https://localhost:8088/services/collector -H 'Authorization: Splunk 16229CD8-BB6B-449E-BA84-86F9232AC3BC' -d '
{"event":{"date":"Sat Feb 13 21:20:44 UTC 2016","name":"power","displayName":"Home Energy","device":"Home Energy","deviceId":"31ea905e-28d3-4779-a8b1-82bcd528c520","value":"2233","isStateChange":"true","id":"a4b491a0-d297-11e5-897c-22000bb6c3f8","description":"zw device: 0F, command: 3202, payload: 21 74 00 22 11 C0 00 00 00 00 00 00","descriptionText":"Total Power: 2233 Watts","installedSmartAppId":"null","isoDate":"2016-02-13T21:20:44.892Z","isDigital":"false","isPhysical":"false","location":"Home","locationId":"846d6e0a-dcc0-44e8-a09b-bac269bfa6c1","unit":"W","source":"DEVICE"},"time":1455398444892}'
Main difference above is that I've enclosed your event in "event". I've removed the extra brace at the end (as that made the JSON invalid), and I've added an epoch time stamp which I got by converting the isoDate field above.
Let me know if this works for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the answer on this. Now I'm just having fun trying to get the code to do what is needed. Only problem is I'm no developer lol so I'm doing my best with troubleshooting this and trying to see what the issue is. Any tips on how to tell groovy how to format the date like you suggest?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am not a groovy expert either 🙂
You should be able to use DateFormat.parse() to parse your date. That will return a Date object which you can then call the getTime() method on to return the Epoch time. If calling this returns a 10 digit number you are good to use that. If it is returning a 13 digit number, then divide by 1000. I haven't tested the getTime method, so I am not sure what it will return. For example JavaScript dates return a digit number.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I actually found out that SmartThings allows you to use the variable of now() but something in groovy doesn't like it. So I will need to figure that out. The good news is though that while I may not be passing in the time variable it is logging right now so I'll call it a night with this success :). Thank you @gblock very much for your help with this I greatly appreciate it.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@thefuzz4 good!
Yes, if you don't pass time in the payload, then we will assign a timestamp at the time we receive it. This is not ideal though as depending on if the indexer gets bogged down, this might lag from the time the event was actually generated on. Your timestamp "date" is still present for searching but that won't be the index time. So hopefully you can get the epoch time.
Good luck!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @thefuzz4
First off, thanks for using HEC!
Looking at the example above, it does not appear to be in the proper format for our JSON Event protocol.
The format requires you to have a JSON envelope which contains within it an "event" field with the value being your payload. You should also include a epoch timestamp as HEC doesn't do timestamp extraction from the JSON. So looking at your example the JSON payload below in the curl I provided should work (assuming HEC is enabled). I tested this and it worked against my HEC instance.
curl -k https://localhost:8088/services/collector -H 'Authorization: Splunk 16229CD8-BB6B-449E-BA84-86F9232AC3BC' -d '
{"event":{"date":"Sat Feb 13 21:20:44 UTC 2016","name":"power","displayName":"Home Energy","device":"Home Energy","deviceId":"31ea905e-28d3-4779-a8b1-82bcd528c520","value":"2233","isStateChange":"true","id":"a4b491a0-d297-11e5-897c-22000bb6c3f8","description":"zw device: 0F, command: 3202, payload: 21 74 00 22 11 C0 00 00 00 00 00 00","descriptionText":"Total Power: 2233 Watts","installedSmartAppId":"null","isoDate":"2016-02-13T21:20:44.892Z","isDigital":"false","isPhysical":"false","location":"Home","locationId":"846d6e0a-dcc0-44e8-a09b-bac269bfa6c1","unit":"W","source":"DEVICE"},"time":1455398444892}'
Main difference above is that I've enclosed your event in "event". I've removed the extra brace at the end (as that made the JSON invalid), and I've added an epoch time stamp which I got by converting the isoDate field above.
Let me know if this works for you.
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
Routing logs with Splunk OTel Collector for Kubernetes
