What is the Splunk SDK for C#?

The Splunk API exposes Splunk resources via a REST API using the HTTP protocol. Any tool or language that supports HTTP can use the API to configure and manage a Splunk Enterprise instance and issue search commands.

The Splunk SDK for C# is a Splunk-developed collection of C# APIs that uses the Splunk REST API to configure, manage, and issue search commands to your Splunk Enterprise instance. Using the Splunk SDK for C#, you can develop your own Splunk application or integrate Splunk functionality into your existing app.

What you can do with the Splunk SDK for C#

This SDK contains library code and examples designed to enable developers to build applications using Splunk Enterprise. With the Splunk SDK for C# you can write C# applications to programmatically interact with the Splunk Enterprise engine. The SDK is built on top of the REST API, providing a wrapper over the REST API endpoints. So with fewer lines of code, you can write applications that can interact with Splunk Enterprise in the following ways:

  • Login
  • Access control (users and passwords)
  • Searches (normal, blocking, real-time, one-shot, and export)
  • Jobs
  • Reports (saved searches in Splunk Enterprise 5)
  • Configuration and Config Properties
  • Indexes
  • Inputs (sending simple and streamed events to Splunk Enterprise)
  • Applications

In addition, the Splunk SDK for C# includes built-in support for modular inputs.

The Splunk SDK for C# components

The Service class

The Service class is the primary entry point for the client library. Construct an instance of the Service class and provide the login credentials that are required to connect to an available Splunk server. There are different ways to construct the instance and authenticate; here's one way:

// Create a Service instance 
var service = new Service(Scheme.Https, "localhost", 8089, new Namespace(user: "nobody", app: "search"))

// Log in
await service.LoginAsync("admin", "changeme");

Once the Service instance is created and you're logged in, you can use it to navigate, enumerate, and operate on a wide variety of Splunk resources.

Entities and collections

The Splunk REST API consists of over 160 endpoints that provide access to almost every feature of Splunk. The majority of the Splunk SDK for C# API follows a convention of exposing resources as collections of entities, where an entity is a resource that has properties, actions, and metadata that describes the entity. The entity/collection pattern provides a consistent approach to interacting with resources and collections of resources.

For example, the following code lists all apps installed on the Splunk Enterprise server:

foreach (var app in service.Applications)
{
    Console.WriteLine(app.Name);
    // write a separator between the name and the description of an app
    Console.WriteLine(Enumerable.Repeat<char>('-', app.Name.Length).ToArray());
    Console.WriteLine(app.Description);
}

Collections use a common mechanism to create and remove entities. Entities use a common mechanism to retrieve and update property values, and access entity metadata. Once you're familiar with this pattern, you'll have a reasonable understanding of how the SDK and underlying REST API work.

The SDK contains the base classes Entity and EntityCollection, both of which derive from the common base class Resource. Note that Service is not a Resource, but is a container that provides access to all features associated with a Splunk instance.

Service
Resource
	Entity
	EntityCollection