The 2.0 version of the Splunk C# SDK is heavily invested in modern C# features. Every major operation from login-onwards is available via asynchronous methods. For example:
var service = new Service(Scheme.Https, "localhost", 8089);
await service.LogOnAsync("admin", "changeme");
var results = await service.ExportSearchResultsAsync
("search error",
new SearchExportArgs {EarliestTime = "rt-1h", LatestTime = "rt"});
Glenn Block writes about this sample,
In the code I am using the ExportSearchResultsAsync method that will push results from the server continually as they are are available. I am then looping through the results and outputting each raw event. The result object is a Dynamic object allowing any fields that Splunk has extracted to be accessed as properties.
The results variable above is a SearchResultStream which also implements IObservable<T>. This means you can use it with the Reactive Extensions (Rx). Rx offers a push based programming model which fits well with Splunk’s real time manner. Additionally Rx provides a set of operators that you can use to act on the data as it is received in a declarative fashion for applying filtering logic, group by, ordering and more.
The pattern to take advantage of Splunk’s sampling capabilities is fairly straightforward. Simply convert the results into an Observable, set the sampling rate, and then subscribe to the results.
results
.ToObservable()
.Sample(new TimeSpan(0, 0, 5))
.Subscribe( Observer.Create<dynamic>(r => Console.WriteLine(r._raw)) );
Of course, this requires the use of the Reactive Extensions framework.
Logging
Another feature of this release is support for Semantic Logging Application Block (SLAB), which is part of Microsoft’s Enterprise Library. Unlike traditional logs, which are mostly string-based, a semantic log maintains separate fields for each data point in the log entry.
Since the list of captured fields varies significantly from event to event, a fully structured data store such as SQL Server is a poor fit. But Splunk, which is designed specifically to index unstructured and semi-structured data, is in theory a good combination.
In addition to the SLAB listener, the Splunk C# SDK also includes traditional Trace listeners.
Mobile Support
The SDK is a Portable Class Library (PCL), which means it can be used in apps written for the Windows Phone, iOS, Android, and the Windows Store.