{"id":12674,"date":"2020-01-03T20:57:24","date_gmt":"2020-01-04T02:57:24","guid":{"rendered":"http:\/\/anthonyreinke.com\/?p=12674"},"modified":"2020-01-03T21:04:21","modified_gmt":"2020-01-04T03:04:21","slug":"connecting-plex-and-splunk","status":"publish","type":"post","link":"https:\/\/anthonyreinke.com\/index.php\/2020\/01\/03\/connecting-plex-and-splunk\/","title":{"rendered":"Connecting Plex and Splunk"},"content":{"rendered":"\n

I use Plex (https:\/\/www.plex.tv\/<\/a>) to be able to play videos at home. Different family members have their own accounts on Plex. I was interested in the viewing habits of the people using my Plex server. If you put Plex in debug mode you can get a lot of logs but I wanted a better way.<\/p>\n\n\n\n

I found PlexWatch (https:\/\/github.com\/ljunkie\/plexWatch<\/a>) on Github. PlexWatch is listed as “Notify and Log watched content on a Plex Media Server”. What made me interested in this project is that you could extend it to connect to external providers (Twitter, Boxcar, Prowl, …). I was hoping I could use this to connect to Splunk’s HEC (HTTP Event Collector).<\/p>\n\n\n\n

I was able to also find a Splunk HEC library for Perl on Github. The project is called “Perl Client for Splunk HTTP Event Collector” and at https:\/\/github.com\/eforbus\/perl-splunk-hec<\/a>.<\/p>\n\n\n\n

Requirements:
1. Command line access to a Plex server
2. Splunk instance with HEC enabled
3. Perl installed or ability to have it installed<\/p>\n\n\n\n

\n\n\n\n

Below is the step by step I created to connect PlexWatch with Splunk via the HEC. This was done on a CentOS 7 server.<\/p>\n\n\n\n

1. Enable the EPEL Release Repo<\/p>\n\n\n\n

\nsudo yum -y –enablerepo=extras install epel-release\n<\/p><\/blockquote>\n\n\n\n

2. Add the dependancies<\/p>\n\n\n\n

\nsudo yum -y install perl\\(LWP::UserAgent\\) perl\\(XML::Simple\\) perl\\(Pod::Usage\\) perl\\(JSON\\) perl\\(DBI\\) perl-Time-Duration perl-Time-ParseDate perl-DBD-SQLite perl-LWP-Protocol-https perl-Crypt-SSLeay perl-File-ReadBackwards perl-JSON-XS\n<\/p><\/blockquote>\n\n\n\n

3. Create the directory for PlexWatch<\/p>\n\n\n\n

\nsudo mkdir \/opt\/plexWatch\/\n<\/p><\/blockquote>\n\n\n\n

4. Download the PlexWatch components<\/p>\n\n\n\n

\nsudo wget -P \/opt\/plexWatch\/ https:\/\/raw.github.com\/ljunkie\/plexWatch\/master\/plexWatch.pl\n<\/p><\/blockquote>\n\n\n\n

\nsudo wget -P \/opt\/plexWatch\/ https:\/\/raw.github.com\/ljunkie\/plexWatch\/master\/config.pl-dist\n<\/p><\/blockquote>\n\n\n\n

3. Create the directory for PlexWatch<\/p>\n\n\n\n

\nsudo mkdir \/opt\/plexWatch\/\n<\/p><\/blockquote>\n\n\n\n

5. Set the permissions for the folder and script<\/p>\n\n\n\n

\nsudo chmod 777 \/opt\/plexWatch && sudo chmod 755 \/opt\/plexWatch\/plexWatch.pl\n<\/p><\/blockquote>\n\n\n\n

6. Copy the configuration file from the default to the one used by the script<\/p>\n\n\n\n

\nsudo cp \/opt\/plexWatch\/config.pl-dist \/opt\/plexWatch\/config.pl\n<\/p><\/blockquote>\n\n\n\n

7. Edit the configuration file. In the examples I show will be using VIM but in the walk through I show VI. Nano can also be used.<\/p>\n\n\n\n

sudo vi \/opt\/plexWatch\/config.pl <\/p><\/blockquote>\n\n\n\n

7a. Change the $log_client_ip to equal 1 and set the $myPlex_user and $myPlex_pass variables. The $myPlex_user and $myPlex_pass are the credentials to log in to plex.tv.<\/p>\n\n\n\n

\"config.pl<\/a><\/figure>\n\n\n\n

7b. Near the end of the configuration file, find the external section. It will look like the below.<\/p>\n\n\n\n

\"config.pl<\/a><\/figure>\n\n\n\n

7c. Add a new section for the Splunk HEC connector.<\/p>\n\n\n\n

\"config.pl<\/a><\/figure>\n\n\n\n

\n‘Splunk’ => {
\n ‘enabled’ => 1, ## 0 or 1 – set to 1 to enable Splunk script
‘push_watched’ => 1, #stop
\n ‘push_watching’ => 1, #start
\n ‘push_paused’ => 1, #pause
\n ‘push_resumed’ => 1, #resume
\n

\n ‘script_format’ => {
\n ‘start’ => ‘perl \/opt\/plexWatch\/splunk.pl “{user}” “{state}” “{title}” “{streamtype}” “{year}” “{rating}” “{platform}” “{progress}” “{percent_complete}” “{ip_address}” “{length}” “{duration}” “{time_left}”‘,
\n ‘paused’ => ‘perl \/opt\/plexWatch\/splunk.pl “{user}” “{state}” “{title}” “{streamtype}” “{year}” “{rating}” “{platform}” “{progress}” “{percent_complete}” “{ip_address}” “{length}” “{duration}” “{time_left}”‘,
\n ‘resumed’ => ‘perl \/opt\/plexWatch\/splunk.pl “{user}” “{state}” “{title}” “{streamtype}” “{year}” “{rating}” “{platform}” “{progress}” “{percent_complete}” “{ip_address}” “{length}” “{duration}” “{time_left}”‘,
\n ‘stop’ => ‘perl \/opt\/plexWatch\/splunk.pl “{user}” “{state}” “{title}” “{streamtype}” “{year}” “{rating}” “{platform}” “{progress}” “{percent_complete}” “{ip_address}” “{length}” “{duration}” “{time_left}”‘,
\n },
\n},\n<\/p><\/blockquote>\n\n\n\n

8. Download the Splunk HEC connector library for Perl.<\/p>\n\n\n\n

wget https:\/\/github.com\/eforbus\/perl-splunk-hec\/archive\/master.zip<\/p><\/blockquote>\n\n\n\n

9. Unzip the the connector<\/p>\n\n\n\n

unzip master.zip<\/p><\/blockquote>\n\n\n\n

10. Copy the libraries to the PlexWatch directory<\/p>\n\n\n\n

sudo cp -R .\/perl-splunk-hec-master\/lib\/Splunk \/opt\/plexWatch\/<\/p><\/blockquote>\n\n\n\n

11. Create and edit the HEC script. This will be what is called from PlexWatch to send the data to the HEC.<\/p>\n\n\n\n

sudo vi \/opt\/plexWatch\/splunk.pl<\/p><\/blockquote>\n\n\n\n

11a. Below is the script. You will need your Splunk server path and HEC token.<\/p>\n\n\n\n

\"splunk.pl<\/a><\/figure>\n\n\n\n

#!\/usr\/bin\/perl

use lib qw(\/opt\/plexWatch\/);

use Splunk::HEC;

$user=$ARGV[0];
$state=$ARGV[1];
$title=$ARGV[2];
$streamtype=$ARGV[3];
$year=$ARGV[4];
$rating=$ARGV[5];
$platform=$ARGV[6];
$progress=$ARGV[7];
$percent_complete=$ARGV[8];
$ip_address=$ARGV[9];
$show_length=$ARGV[10];
$duration=$ARGV[11];
$time_left=$ARGV[12];

my $hec = Splunk::HEC->new(
url => ‘https:\/\/SplunkServer:8088\/services\/collector\/event’,
token => ‘6cc8b5ba-48f3-5c2b-8e9e-9e5e81a0ce57’
);

my $res = $hec->send(event => {user => $user, state => $state, title => $title, streamtype => $streamtype, year => $year, rating => $rating, platform => $platform, progress => $progress, percent_complete => $percent_complete, ip_address => $ip_address, length => $show_length, duration => $duration, time_left => $time_left});
<\/p><\/blockquote>\n\n\n\n

12. Change the abilities of the script to be executable<\/p>\n\n\n\n

sudo chmod +x \/opt\/plexWatch\/splunk.pl<\/p><\/blockquote>\n\n\n\n

13. Test the script. This will send sample data to the Splunk HEC.<\/p>\n\n\n\n

\/opt\/plexWatch\/splunk.pl user state title streamtype year rating platform progress percent_complete ip_address length duration time_left<\/p><\/blockquote>\n\n\n\n

14. Add the PlexWatch script in to the crontab to run on a schedule<\/p>\n\n\n\n

sudo crontab -e<\/p><\/blockquote>\n\n\n\n

14a. Have the script run once per minute<\/p>\n\n\n\n

* * * * * \/opt\/plexWatch\/plexWatch.pl<\/p><\/blockquote>\n\n\n\n

Enjoy the data in Splunk<\/p>\n\n\n\n

\"JSON<\/a><\/figure>\n\n\n\n
\"Dashboard<\/a>
Dashboard Example<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"

I use Plex (https:\/\/www.plex.tv\/) to be able to play videos at home. Different family members have their own accounts on Plex. I was interested in the viewing habits of the people using my Plex server. If you put Plex in debug mode you can get a lot of logs but I wanted a better way. […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[36,34,35,33,31,32,37,27],"class_list":["post-12674","post","type-post","status-publish","format-standard","hentry","category-projects","tag-eforbus","tag-hec","tag-ljunkie","tag-perl","tag-plex","tag-plexwatch","tag-server","tag-splunk"],"_links":{"self":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/12674","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/comments?post=12674"}],"version-history":[{"count":4,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/12674\/revisions"}],"predecessor-version":[{"id":12685,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/posts\/12674\/revisions\/12685"}],"wp:attachment":[{"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/media?parent=12674"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/categories?post=12674"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/anthonyreinke.com\/index.php\/wp-json\/wp\/v2\/tags?post=12674"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}