Splunk with Indigo

I've been messing around using splunk Free with Indigo. splunk (http://splunk.com) provides the ability to index any kind of machine data. A friend who works there turned me on to using it and it's been a revelation as far as quickly creating alerts or visualizations for just about anything.

With Indigo, I started with the idea that I'd have my splunk instance read the sqlite database. There is (I believe) a commercial plugin that allows you to read databases but that didn't sound immediately appealing. splunk can run shell scripts, and I think that's probably a good way to have the Indigo data dumped into the splunk index. I am likely to start heading that direction, but for now I just have splunk index my Indigo Event Logs.

So, what can one do once this is set up? Without any extractions (splunk would allow me to extract preconfigured fields), I can run a simple regex on a search like this:

Code: Select all

source="/Library/Application Support/Perceptive Automation/Indigo 6/Logs/indigo_log.txt" Garage Entry Temperature | rex field=_raw ".*to +(?<temp>[0-9]+.[0-9])" | eval ftemp=9*temp/5+32 | timechart span=10m values(ftemp)

This takes my Fibaro Motion Sensor temperature reports, extracts the temperature using regex, converts it to fahrenheit, and runs a timechart with 10 minute buckets.

temp_chart.png (159.81 KiB) Viewed 5503 times

I can also do something like:

Code: Select all

source="/Library/Application Support/Perceptive Automation/Indigo 6/Logs/indigo_log.txt" Garage Entry Motion on | timechart span=1h count

In this case, using the selection tools in splunk, I've just shown the last 24 hours. I can also create histograms to show when things happen the most - doors opening, motion, or whatever event is interesting.

motion_count.png (237.5 KiB) Viewed 5503 times

The other nice thing about using splunk is that you can quickly put together other views. For fun, I went ahead and combined three sets into one visualization, as seen here.

Combo.png (149.42 KiB) Viewed 5460 times

Looking at the splunk website, it wasn't obvious how to get the free version of splunk, so I figured I'd link it here. http://docs.splunk.com/Documentation/Splunk/6.2.3/Admin/MoreaboutSplunkFree

Thanks for the heads-up on this and also the link - it looks very interesting

Hey, I've worked at Splunk for many years and have been using it for all sorts of things (see http://blogs.splunk.com/2013/10/22/go-splunk-yourself/)
I've been feeding it Indigo logs for quite awhile now and doing some fun stuff with it. Glad to see others are too!



As markf424 pointed out there is a free version of splunk that you can run on your own machine. Unless you have a crazy house, it's probably more than enough since it'll handle 500megs of logs a day. I also happen to work on the Splunk Cloud team, which can give you a free trial of both Splunk and the newer Splunk Light: https://www.splunk.com/cloud

Here's some of my searches:

Graph of Temp, Humidity, Lux from a Aeotec Multisensor (in screenshot above)

Code: Select all

index=house location="Maya's Room" sensor update
  | rex field=_raw "sensor update to (?<temp>.*) °F"
  | rex field=_raw "sensor update to (?<humidity>.*)%"
  | rex field=_raw "sensor update to (?<lux>.*) lux"
  | eval lux=lux/10
  | timechart avg(temp) as Temp avg(humidity) as Humidity avg(lux) as Lux/10 span=11m


Battery Levels (in screenshot above)

Code: Select all

index=house eventtype=BatteryLevel
  | rex field=interface "\"(?<device>.+([a-zA-z]+))\""
  |search device!=""
  | timechart span=1d avg(battery_level) by device


How many hours was the Bedroom light on?

Code: Select all

index=house device="Bedroom Light"
| transaction startswith=on endswith=off maxspan=24h
| timechart eval(avg(duration)/60/60) as "Hours Lights On"


I have all my logs going into a dedicated "house" index. it's a bit faster than searching by source since I have other data in my Splunk.
I also stick to a standard naming convention for sensor devices to make field extraction easier:
(SensorType) Location
ex. "(Motion) Living Room", (Humidity) Bathroom", etc.
FWIW, here are my field extractions for the other Splunk users:

Example log lines:

Code: Select all

2015-09-24 20:47:09.895   Z-Wave   received "(Lux) Downstairs Bathroom" sensor update to 2 lux
2015-09-24 20:47:09.897   Z-Wave   received "(Humidity) Downstairs Bathroom" sensor update to 51%
2015-09-24 20:47:09.914   Z-Wave   received "(Temp) Downstairs Bathroom" sensor update to 74.5 °F
2015-09-24 20:47:09.950   Z-Wave   received "(Lux) Living Room" sensor update to 50 lux
2015-09-24 20:47:20.998   Z-Wave   received "(Lux) Bedroom" sensor update to 472 lux
2015-09-24 20:47:21.031   Z-Wave   received "(Humidity) Bedroom" sensor update to 41%
2015-09-24 20:47:21.067   Z-Wave   received "(Temp) Bedroom" sensor update to 75.7 °F
2015-09-24 20:47:24.293   Z-Wave   received "(Temp) Server Closet" sensor update to 84.2 °F


Code: Select all

host::house : EXTRACT-device   Inline   (?i)^(?:[^\t]*\t){2}"(?P<device>[^"]+)   
host::house : EXTRACT-device_state   Inline   (?i) .*?" (?P<device_state>(on|off)).*   
host::house : EXTRACT-indigo_event   Inline   (?i)^[^\t]*\t(?P<indigo_event>[^\t]+)   
host::house : EXTRACT-interface   Inline   (?i)\tReceived (?P<interface>[^\t]+)   
indigo : EXTRACT-battery_level   Inline   (?i) battery level (?P<battery_level>[^%]+)   
indigo : EXTRACT-device   Inline   (?i)^[^"]*"(?P<FIELDNAME>[^"]+)   
indigo : EXTRACT-location   Inline   (?i)^[^\)]*\)\s+(?P<location>[^"]+)   
indigo : EXTRACT-reading   Inline   (?i) to (?P<reading>[^ ]+)   
indigo : EXTRACT-sensor_type   Inline   (?i)\.*? "\((?P<sensor_type>\w+)(?=\))   


I'm always more than happy to chat about Splunk and love to see what people do with it!

why don't you use the indigo sql database where all the data is available in a structured way?

Karl

Use it for reporting rather than Splunk or use it as an input other than log files for Splunk?

For reporting: Splunk lets me correlate with all sorts of other data sources and makes it easy to generate reports on the fly without writing code. Also I'm biased.
Using sqlite as an input: I should give this a try. Haven't played much with Splunk + database inputs. Usually just dealing with good old fashioned log files.

As input for plots. Not all info is in the log files


Sent from my iPhone using Tapatalk

why don't you use the indigo sql database where all the data is available in a structured way?

If you're not already running some kind of front end to sqlite, you'd have to build it. You can take sqlite as input to Splunk via DB Connect, but it's a paid add-on, so I haven't bothered.

Mostly I like Splunk because it's really quick, and it's also a great way to view/index the log files. There's not a good log viewer for Indigo, so it's a good way to quickly search through historical logs.

Hello edrabbit,

Can you explain a little more detail how I get the values into Splunk, I have installed the program on your PC where I have my indingo server, and I was able to log into Splunk, but how do I get the values ???

// Jens

Can you explain a little more detail how I get the values into Splunk, I have installed the program on your PC where I have my indingo server, and I was able to log into Splunk, but how do I get the values ???

Easy start:

Settings, Data Inputs, under Local Inputs, select "Files and Directories".
New
For file and directory, select the directory /Library/Application Support/Perceptive Automation/Logs/
Source Type can be manual, name it "indigo".

Then, go to Search and Reporting and just enter "sourcetype=indigo". You'll see your logs there.

From there, you can play around with searches and visualizations, make alerts from the search results, and save the visualizations to Dashboards. It'll take a bit of learning, but this should get you going. edrabbit may have some better suggestions.

Sorry, wasn't logged in. That was me ^^^

Thanks start to try...

//Jens

I'm always more than happy to chat about Splunk and love to see what people do with it!

Are you happy to help those that can't get it to run for more than 5 minutes without it crashing