Gravwell is an enterprise data fusion platform that enables security teams to investigate, collaborate, and analyze data from any source, on demand, all with unlimited data collection and retention. Ingest everything. Investigate anything.
Gravwell engineers play around with a lot of tech projects on the side, and the natural follow-on question is always: can we somehow feed this into Gravwell? Over the last few weeks I've started experimenting with Home Assistant, largely to figure out if the bedroom really is always 5 degrees hotter than downstairs, or if it just feels that way! Once I had my sensors set up, my obvious next step was to ship data to Gravwell for long-term analysis. Luckily, Home Assistant can export to Splunk's HTTP Event Collector… and since the Gravwell HTTP Ingester has a HEC compatibility mode, I already had everything I needed!
HTTP Ingester Configuration
After installing the Gravwell HTTP Ingester (see https://docs.gravwell.io/ingesters/http.html), I configured it to listen on port 8088 and defined a "HEC-Compatible-Listener" block:
[Global]
Ingest-Secret = "CHANGEME"
Connection-Timeout = 0
Insecure-Skip-TLS-Verify=true
Cleartext-Backend-Target=gravwell.example.org
Log-Level=INFO Ingest-Cache-Path=/opt/gravwell/cache/http_ingester.cache
Bind=":8088"
[HEC-Compatible-Listener "hass"]
TokenValue="hasstoken" #set the access control token
Tag-Name=hass
Home Assistant Splunk Integration
Once the HTTP ingester was configured, I made Home Assistant send events by defining a "splunk" section in configuration.yaml and restarting HA:
splunk:
token: hasstoken
host: httpingester.example.org
(The Splunk integration defaults to connecting to port 8088, so I just needed to give it the address of the HTTP Ingester and the token defined in the config)
Querying
The events end up in the hass tag in Gravwell:
They're shipped as JSON, which means I can just use the json module to pull out the fields I'm interested in:
tag=hass json attributes.device_class==humidity attributes.friendly_name value
| stats mean(value) by friendly_name
| chart mean by friendly_name
I put together a little dashboard which shows both the current status and the historical data:
What's Next?
By feeding event data into Gravwell, I can track everything that goes on in my Home Assistant setup. The next step is to go in the opposite direction: control HA from Gravwell. With Home Assistant's REST API (https://developers.home-assistant.io/docs/api/rest/), I should be able to actually control lights and other smart devices within my home from Flows – maybe my next project should be to flash a light when a PS5 goes on sale?
