Connecting Plex and Splunk

I use Plex (https://www.plex.tv/) to be able to play videos at home. Different family members have their own accounts on Plex. I was interested in the viewing habits of the people using my Plex server. If you put Plex in debug mode you can get a lot of logs but I wanted a better way.

I found PlexWatch (https://github.com/ljunkie/plexWatch) on Github. PlexWatch is listed as “Notify and Log watched content on a Plex Media Server”. What made me interested in this project is that you could extend it to connect to external providers (Twitter, Boxcar, Prowl, …). I was hoping I could use this to connect to Splunk’s HEC (HTTP Event Collector).

I was able to also find a Splunk HEC library for Perl on Github. The project is called “Perl Client for Splunk HTTP Event Collector” and at https://github.com/eforbus/perl-splunk-hec.

Requirements:
1. Command line access to a Plex server
2. Splunk instance with HEC enabled
3. Perl installed or ability to have it installed


Below is the step by step I created to connect PlexWatch with Splunk via the HEC. This was done on a CentOS 7 server.

1. Enable the EPEL Release Repo

sudo yum -y –enablerepo=extras install epel-release

2. Add the dependancies

sudo yum -y install perl\(LWP::UserAgent\) perl\(XML::Simple\) perl\(Pod::Usage\) perl\(JSON\) perl\(DBI\) perl-Time-Duration perl-Time-ParseDate perl-DBD-SQLite perl-LWP-Protocol-https perl-Crypt-SSLeay perl-File-ReadBackwards perl-JSON-XS

3. Create the directory for PlexWatch

sudo mkdir /opt/plexWatch/

4. Download the PlexWatch components

sudo wget -P /opt/plexWatch/ https://raw.github.com/ljunkie/plexWatch/master/plexWatch.pl

sudo wget -P /opt/plexWatch/ https://raw.github.com/ljunkie/plexWatch/master/config.pl-dist

3. Create the directory for PlexWatch

sudo mkdir /opt/plexWatch/

5. Set the permissions for the folder and script

sudo chmod 777 /opt/plexWatch && sudo chmod 755 /opt/plexWatch/plexWatch.pl

6. Copy the configuration file from the default to the one used by the script

sudo cp /opt/plexWatch/config.pl-dist /opt/plexWatch/config.pl

7. Edit the configuration file. In the examples I show will be using VIM but in the walk through I show VI. Nano can also be used.

sudo vi /opt/plexWatch/config.pl

7a. Change the $log_client_ip to equal 1 and set the $myPlex_user and $myPlex_pass variables. The $myPlex_user and $myPlex_pass are the credentials to log in to plex.tv.

config.pl section for external ip address and Plex account

7b. Near the end of the configuration file, find the external section. It will look like the below.

config.pl external script area

7c. Add a new section for the Splunk HEC connector.

config.pl script with added section for sending to Splunk

‘Splunk’ => {
‘enabled’ => 1, ## 0 or 1 – set to 1 to enable Splunk script
‘push_watched’ => 1, #stop
‘push_watching’ => 1, #start
‘push_paused’ => 1, #pause
‘push_resumed’ => 1, #resume


‘script_format’ => {
‘start’ => ‘perl /opt/plexWatch/splunk.pl “{user}” “{state}” “{title}” “{streamtype}” “{year}” “{rating}” “{platform}” “{progress}” “{percent_complete}” “{ip_address}” “{length}” “{duration}” “{time_left}”‘,
‘paused’ => ‘perl /opt/plexWatch/splunk.pl “{user}” “{state}” “{title}” “{streamtype}” “{year}” “{rating}” “{platform}” “{progress}” “{percent_complete}” “{ip_address}” “{length}” “{duration}” “{time_left}”‘,
‘resumed’ => ‘perl /opt/plexWatch/splunk.pl “{user}” “{state}” “{title}” “{streamtype}” “{year}” “{rating}” “{platform}” “{progress}” “{percent_complete}” “{ip_address}” “{length}” “{duration}” “{time_left}”‘,
‘stop’ => ‘perl /opt/plexWatch/splunk.pl “{user}” “{state}” “{title}” “{streamtype}” “{year}” “{rating}” “{platform}” “{progress}” “{percent_complete}” “{ip_address}” “{length}” “{duration}” “{time_left}”‘,
},
},

8. Download the Splunk HEC connector library for Perl.

wget https://github.com/eforbus/perl-splunk-hec/archive/master.zip

9. Unzip the the connector

unzip master.zip

10. Copy the libraries to the PlexWatch directory

sudo cp -R ./perl-splunk-hec-master/lib/Splunk /opt/plexWatch/

11. Create and edit the HEC script. This will be what is called from PlexWatch to send the data to the HEC.

sudo vi /opt/plexWatch/splunk.pl

11a. Below is the script. You will need your Splunk server path and HEC token.

splunk.pl Perl script

#!/usr/bin/perl

use lib qw(/opt/plexWatch/);

use Splunk::HEC;

$user=$ARGV[0];
$state=$ARGV[1];
$title=$ARGV[2];
$streamtype=$ARGV[3];
$year=$ARGV[4];
$rating=$ARGV[5];
$platform=$ARGV[6];
$progress=$ARGV[7];
$percent_complete=$ARGV[8];
$ip_address=$ARGV[9];
$show_length=$ARGV[10];
$duration=$ARGV[11];
$time_left=$ARGV[12];

my $hec = Splunk::HEC->new(
url => ‘https://SplunkServer:8088/services/collector/event’,
token => ‘6cc8b5ba-48f3-5c2b-8e9e-9e5e81a0ce57’
);

my $res = $hec->send(event => {user => $user, state => $state, title => $title, streamtype => $streamtype, year => $year, rating => $rating, platform => $platform, progress => $progress, percent_complete => $percent_complete, ip_address => $ip_address, length => $show_length, duration => $duration, time_left => $time_left});

12. Change the abilities of the script to be executable

sudo chmod +x /opt/plexWatch/splunk.pl

13. Test the script. This will send sample data to the Splunk HEC.

/opt/plexWatch/splunk.pl user state title streamtype year rating platform progress percent_complete ip_address length duration time_left

14. Add the PlexWatch script in to the crontab to run on a schedule

sudo crontab -e

14a. Have the script run once per minute

* * * * * /opt/plexWatch/plexWatch.pl

Enjoy the data in Splunk

JSON Data Example
Dashboard Example
Dashboard Example