External Logging Capabilities?

plexWatch logs quite a bit into a SQLite database file (plexWatch.db). While I don't use Splunk I do see there is a way to interface relational databases with Splunk via DB Connect. This might be a good starting point rather than trying to parse the PMS debug log itself.

I actually setup plexWatch/web last night and I'm pretty impressed by it. I'd be nice if the script had a syslog-ish notification that I could just throw data out to an external logger with. However, the web interface is fantastic. There's still some details that I'd like to grab for further logging such as average bitrate/bandwidth from sessions, and be able to build charts relating it to CPU and network usage of the server itself from SNMP data. The DB Connect Splunk app could be useful. Looks like it will work with SQLite.

Were you able to get this information fed into Splunk? I just setup Splunk and added the standard Plex log files. I'm going to mess around with it to see how much info it provides vs what I need.

It looks like plexWeb will output to a flat log file. If so, this would be great for Splunk.

Also, what kind of queries are you running? I'm going to setup a few dashboards, but would love to see what others have come up with.

Edit:

So I was able to get the sqlite db connected to Splunk, but I need to do more research on how to monitor the db. I thought there was a Monitor option in the DB Connect > Settings options, but I don't see it.

Let me know if you are able to monitor the db for changes and have the changes logged.

Thanks.

Were you able to get this information fed into Splunk? I just setup Splunk and added the standard Plex log files. I'm going to mess around with it to see how much info it provides vs what I need.

It looks like plexWeb will output to a flat log file. If so, this would be great for Splunk.

Also, what kind of queries are you running? I'm going to setup a few dashboards, but would love to see what others have come up with.

Edit:

So I was able to get the sqlite db connected to Splunk, but I need to do more research on how to monitor the db. I thought there was a Monitor option in the DB Connect > Settings options, but I don't see it.

Let me know if you are able to monitor the db for changes and have the changes logged.

Thanks.

What source type are you marking your plex logs as? also what logs are you targeting? I'm setting this up myself today.

Hello,

Was anyone successful in ingesting plex media logs into splunk? I used a universal forwarder and monitored the C:\Users\{user}\AppData\Local\Plex Media Server\Logs\Plex Media Server.log file, but the logs were very strange and hard to make sense of. This made it difficult in Splunk to answer simple questions like what IPs/usernames are viewing what videos/music. If someone with more knowledge of the Plex logs could create an app or a TA for Splunk that would be awesome! All I was able to extract was the IPs with this extraction: (?:[^: ]*:){4}\s+\[(?P[^:]+). My next approach will be the plexwatch dbconnect app method. 

Plex Media Server 0.9.9.10.458-08ea34

This is actually a very nice toy, never knew it existed. I have been playing around with Python for the first time in my life and I managed to get data into Splunk which it actualy understands:

2014-07-22 23:32:27.640411 user_title=user1,player_platform="Plex Home Theater",player_product="Plex Home Theater",player_title="",video_grandparentTitle="The 100",video_title="We Are Grounders (1)",video_type=episode,video_guid=com.plexapp.agents.thetvdb://268592/1/12?lang=en,video_duration=2546560,video_viewOffset=2496119,video_progress=98.0192494974
2014-07-22 23:30:27.078915 user_title=user1,player_platform="Plex Home Theater",player_product="Plex Home Theater",player_title="",video_grandparentTitle="The 100",video_title="We Are Grounders (1)",video_type=episode,video_guid=com.plexapp.agents.thetvdb://268592/1/12?lang=en,video_duration=2546560,video_viewOffset=2374330,video_progress=93.2367586077
2014-07-22 23:28:28.265758 user_title=user1,player_platform="Plex Home Theater",player_product="Plex Home Theater",player_title="",video_grandparentTitle="The 100",video_title="We Are Grounders (1)",video_type=episode,video_guid=com.plexapp.agents.thetvdb://268592/1/12?lang=en,video_duration=2546560,video_viewOffset=2252918,video_progress=88.469072003
2014-07-22 23:28:28.265384 user_title=user2,player_platform="Samsung",player_product="Plex for Samsung",player_title="TV UE32F6400",video_grandparentTitle="Crisis",video_title="Best Laid Plans",video_type=episode,video_guid=com.plexapp.agents.thetvdb://269592/1/11?lang=en,video_duration=2543712,video_viewOffset=2437759,video_progress=95.8347092753

Each of above lines are registered as a single event, events from multiple users are also broken into their own separate event.

I played around with Splunk and the most basic stuff works like a charm with queries like:

dedup user_title sortby -_time | table user_title, _time

video_progress > 95 | table user_title,player_platform,video_grandparentTitle,video_title,video_progress | dedup 1 video_progress

Any idea how Splunk can be used to make the more interesting stuff?

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.