Basic Splunk configuration for OMEGAMON Data Provider

To ingest JSON Lines from OMEGAMON® Data Connect into Splunk, you need to define a Splunk source type that breaks each input line into a separate event, identifies the data format as JSON, and recognizes timestamps. To ingest the data over TCP, you need to define a Splunk TCP input that refers to that source type.

The following Splunk configuration stanzas define a minimal basic configuration for ingesting JSON Lines over TCP from OMEGAMON Data Connect: one stanza in props.conf, and one in inputs.conf.

Depending on your own site practices, you might perform additional configuration, such as assigning different source types, routing events to different indexes, or using secure TCP (TLS).

Location of Splunk configuration stanzas

This OMEGAMON Data Provider documentation refers to Splunk configuration (.conf) file names, but not directory paths. It is your decision where to store the Splunk configuration stanzas for OMEGAMON Data Provider.

For example, you might choose to create a Splunk application directory named your-organization-omegamon specifically for OMEGAMON Data Provider, and save the configuration files there:

$SPLUNK_HOME/etc/apps/your-organization-omegamon/local/*.conf

props.conf

The following stanza in props.conf defines the properties of an omegamon source type:

[omegamon]
SHOULD_LINEMERGE = false
KV_MODE = json
TIME_PREFIX = \"write_time\":\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z

The combination of SHOULD_LINEMERGE = false and KV_MODE = json defines the incoming data as JSON Lines: one event per line, data in JSON format. These two settings apply to different stages in the Splunk data pipeline: SHOULD_LINEMERGE applies to parsing, before indexing; KV_MODE applies later, to search-time field extraction.

The regular expression for TIME_PREFIX is case sensitive; it matches the lowercase field name write_time, which is the field name for event timestamps in JSON from OMEGAMON Data Connect.

The value of TIME_FORMAT matches the format of timestamps in JSON from OMEGAMON Data Connect: ISO 8601 date and time of day representation extended format with a zone designator.

inputs.conf

The following stanza in inputs.conf defines an unsecure TCP input that listens on port 5046, assigns the source type omegamon to all incoming events, and stores the events in the default index (typically, main):

[tcp://:5046]
sourcetype = omegamon

The port number and source type shown here are examples only. The actual values are your choice.

If you have a file of JSON Lines from OMEGAMON Data Connect, then you don't need to define a TCP input. Instead, you can use the Splunk Web Add Data > Upload option to ingest the file directly from your computer. If you use that technique, remember to select the omegamon source type, so that Splunk correctly interprets the file contents.

Tip: In the Source type dropdown list on the Set Source Type page, the omegamon source type will appear under the heading Uncategorized.