IMS Connect Open Database analysis
The dashboards are distributed as an application for Splunk called IMS Connect Open Database analysis.
Getting the Open Database application from SplunkBase
The application can be installed from Splunkbaseopen in new window.
In your Splunk server,
- Visit
Apps Find more apps- Search
IMS Connect Open Database analysis - Click
install - Enter your Splunk.com username and password
- Click
Agree and Install - Restart Splunk server
Splunk Open Database configuration
The application deploys inputs.conf and props.conf.
[tcp://:1616]
sourcetype = ims-ca20-od
2
As default, IMS Connect Open Database analysis configures the data input so that Splunk server accepts data coming to the TCP port 1616.
The example source type ims-ca20-od matches the value of the type property in the feed JSON.
The port number and source type shown here are examples only. If you want to change the port number, you can modify from Settings -> Data inputs -> TCP.
[ims-ca20-od]
SHOULD_LINEMERGE = false
KV_MODE = json
TIME_PREFIX = {\"time\":\"
TIME_FORMAT = %Y-%m-%dT%H:%M:%S.%6N%:z
2
3
4
5
The combination of SHOULD_LINEMERGE = false and KV_MODE = json defines the incoming data as JSON Lines: one event per line, data in JSON format. These two settings apply to different stages in the Splunk data pipeline: SHOULD_LINEMERGE applies to parsing, before indexing; KV_MODE applies later, to search-time field extraction.
The regular expression for TIME_PREFIX is case sensitive; it matches the lowercase field name time, which is the field name for event time stamps in the feed JSON. TIME_FORMAT matches the format of the time field value: a date and time of day string value in ISO 8601 extended format. See the example feed JSON in Configuring the feed job for Open Database workloads.