Splunk

Integrate Thingsee IoT data with Splunk for analytics and monitoring

Splunk is a powerful platform for searching, monitoring, and analyzing machine-generated data. Integrating Thingsee with Splunk enables advanced analytics on your IoT sensor data.

Overview

%%{init: {'theme':'base','themeVariables':{'primaryColor':'#73F9C1','primaryTextColor':'#143633','primaryBorderColor':'#143633','lineColor':'#143633','secondaryColor':'#C7FDE6','tertiaryColor':'#F6FAFA','clusterBkg':'#F6FAFA','clusterBorder':'#143633'}}}%%
flowchart TB
    subgraph SplunkPlatform["Splunk"]
        DASH[Dashboards]
        ALERT[Alerts]
        REPORT[Reports]
        S[Splunk]
    end
    
    T[Thingsee Cloud]
    
    T -->|HTTP Event Collector| S
    S --> DASH & ALERT & REPORT

Setup

1. Configure HTTP Event Collector (HEC)

In Splunk:

Go to Settings → Data Inputs → HTTP Event Collector
Click New Token
Configure token settings:
- Name: thingsee-iot
- Source Type: _json
Note your HEC endpoint and token

2. Request Integration

Contact Haltian with:

HEC endpoint URL
HEC token
Any custom requirements

Source Type

Set Source Type to _json so incoming Thingsee Messages (JSON data) are parsed correctly.

Querying Data

Search by Message Properties

Use Splunk Search Processing Language (SPL) to query Thingsee data:

Find devices with low battery:

index=thingsee tsmId=1110 batl<50
| table tsmTuid, batl, _time
| sort -_time

Find devices connected to a specific gateway:

index=thingsee tsmGw="TSGW01ABC123456" batl<50
| stats count by tsmTuid

Visualization Examples

Battery level histogram:

index=thingsee tsmId=1110
| stats latest(batl) as battery by tsmTuid
| bin battery span=10
| stats count by battery

Temperature trends:

index=thingsee tsmId=12100
| timechart avg(temp) by tsmTuid

Dashboard Examples

Fleet Health Dashboard

Create a dashboard showing:

Total devices online
Devices with low battery
Message rates over time
Connectivity status

Environment Monitoring

Track environmental conditions:

Temperature and humidity trends
CO₂ levels in meeting rooms
Air quality alerts

Alerts

Set up alerts for critical conditions:

Low Battery Alert:

index=thingsee tsmId=1110 batl<20
| stats count by tsmTuid
| where count > 0

No Data Alert:

index=thingsee
| stats latest(_time) as last_seen by tsmTuid
| eval hours_since = (now() - last_seen) / 3600
| where hours_since > 24

Data Format

Thingsee messages arrive with all properties at the root level:

{
  "tsmId": 12100,
  "tsmEv": 10,
  "tsmTs": 1520416221,
  "tsmTuid": "TSPR04E2O90201558",
  "tsmGw": "TSGW01ABC123456",
  "temp": 21.3,
  "humd": 45.2,
  "airp": 101364.5
}

This allows direct field access in SPL queries.

Best Practices

Index separation - Consider a dedicated index for IoT data
Field extraction - Splunk auto-extracts JSON fields with _json source type
Retention - Plan data retention based on compliance and storage needs
Acceleration - Use data model acceleration for frequently-queried fields
Alerting - Set up proactive alerts for device health