Playing with the Splunk C# SDK–from PowerShell

As those who know me know, I Am Not A Developer. I could convincingly play one on TV, but that’s not the point. The point is this: I don’t have a copy of Visual Studio, and I don’t want to! When in Windows, PowerShell is my language of choice (and for good reason). This blog post will show you, in pretty short order, how to take the newly released Splunk SDK for C#, and use it to connect to a Splunk search head or indexer, but doing so from PowerShell instead of C#.

First, let me acknowledge that we do have a very cool Splunk PowerShell Resource Kit that you can download today. It includes over 40 PowerShell-Splunk cmdlets that support numerous search, deployment, and configuration scenarios. However, it connects to the REST API directly using HTTP, which means there’s a fair bit of redundant code that would’ve been saved, had the C# SDK existed when the resource kit was written. PowerShell, like C#, is built on top of .NET, and it can execute C# code “natively” without much (if any) performance penalty, so there’s no reason not to use the technique that I’m about to explain.

I have published a sample PowerShell module on github called Splunk2, so as not to conflict with the resource kit. Today, there’s only two functions: Connect-Splunk and Disconnect-Splunk, but as you’ll see, this is enough for you to at least get started down the path.

To make this code work, all you have to do is create a Splunk2 folder in your PSModulePath (defined on MSDN), and place inside:

You don’t need any of the other files from the SDK, but you may find the Examples folder interesting. It contains C# code of course, but the code is similar enough to PowerShell that given a bit of study, you might be able to convert the examples to PowerShell. And that’s why I can play a developer on TV.

I went so far as to create proper help and examples in the module, because PowerShell makes that stuff easy. Open a PowerShell prompt, type

Import-Module splunk2

…and connect to Splunk! Note that the module requires PowerShell version 3 because I didn’t want to use workarounds for things which have been fixed since version 2. (For those curious, I’m referring specifically to $PSScriptRoot, and proper handling of a PSCredential object in the param() block of a function.)

Below is a transcript of my PowerShell session where you can see the code in action. The actual “hey, what can I do with this” part is bold and red. Can’t miss it. Also be sure to try piping the $SPLUNK_SERVICE object to Get-Member, and you’ll see there are several methods to play with.

PS C:\Users\hrottenberg> Import-Module Splunk2
PS C:\Users\hrottenberg> get-command -Module Splunk2
 
CommandType     Name                                               ModuleName
-----------     ----                                               ----------
Function        Connect-Splunk                                     Splunk2
Function        Disconnect-Splunk                                  Splunk2
 
PS C:\Users\hrottenberg> help Connect-Splunk
 
NAME
Connect-Splunk
 
SYNOPSIS
Connects to a Splunk server
 
SYNTAX
Connect-Splunk [-ComputerName] <String> [-Port <Int32>] -Credential <PSCredential> [<CommonParameters>]
 
 
DESCRIPTION
This function connects to a Splunk server via the REST API and creates a service object called $SPLUNK_SERVICE.
This object can be used to interact with Splunk directly, or is used by other functions in this module to
share a persistent session.
 
 
RELATED LINKS
 
REMARKS
To see the examples, type: "get-help Connect-Splunk -examples".
For more information, type: "get-help Connect-Splunk -detailed".
For technical information, type: "get-help Connect-Splunk -full".
 
 
PS C:\Users\hrottenberg> Connect-Splunk -ComputerName 192.168.1.140 -Credential (Get-Credential)
 
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Credential
 
Token   : Splunk 4e691cd33d3981054803ca9c5b62ba82
Version : 5.0.1
Host    : 192.168.1.140
Port    : 8089
Prefix  : https://192.168.1.140:8089
Scheme  : https
 
PS C:\Users\hrottenberg> help Connect-Splunk -Examples
 
NAME
Connect-Splunk
 
SYNOPSIS
Connects to a Splunk server
 
-------------------------- EXAMPLE 1 --------------------------
 
C:\PS>Connect to a Splunk server and list all indexes greater than 100 MB in size
 
Connect-Splunk -ComputerName splunk.company.com
$idx = $SPLUNK_SERVICE.GetIndexes()
$idx | Where-Object { $_.CurrentDBSizeMB -gt 100 } | Format-Table name, HomePathExpanded, CurrentDBSizeMB -AutoSize
 
PS C:\Users\hrottenberg> $idx = $SPLUNK_SERVICE.GetIndexes()
PS C:\Users\hrottenberg> $idx | Where-Object { $_.CurrentDBSizeMB -gt 100 } | Format-Table name, HomePathExpanded,
CurrentDBSizeMB -AutoSize
 
Name      HomePathExpanded                                   CurrentDBSizeMB
----      ----------------                                   ---------------
_internal /Applications/splunk/var/lib/splunk/_internaldb/db            4215
isilon    /Applications/splunk/var/lib/splunk/isilon/db                  624
main      /Applications/splunk/var/lib/splunk/defaultdb/db               156
 
 
PS C:\Users\hrottenberg> Disconnect-Splunk
 
Token   :
Version : 5.0.1
Host    : 192.168.1.140
Port    : 8089
Prefix  : https://192.168.1.140:8089
Scheme  : https
 
PS C:\Users\hrottenberg> $SPLUNK_SERVICE.GetIndexes()
The following exception occurred while trying to enumerate the collection: "The remote server returned an error: (401)
Unauthorized.".
At line:1 char:1
+ $SPLUNK_SERVICE.GetIndexes()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [], ExtendedTypeSystemException
+ FullyQualifiedErrorId : ExceptionInGetEnumerator

Post a Comment

Your email is never published nor shared. Required fields are marked *

*
*