Send JSON objects directly to HTTP Event Collector

Splunk logging for .NET can send JSON objects directly to HTTP Event Collector using Splunk.Logging.Common. In contrast, trace listeners (such as those provided in Splunk.Logging.TraceListener) and event sinks (such as those provided in Splunk.Logging.SLAB) are designed to send strings only. For example, trying to send an object using the TraceData method of one of the trace listeners results in the object being serialized to a string. This topic discusses how you can take advantage of the Common library's capability to send JSON objects directly, while maintaining access to the same retry and batching logic available when using the other libraries.

Splunk.Logging.Common fully supports serializable objects, including strongly-typed objects, anonymous types, and dynamic/JObject.

Code example

Following is a code snippet that shows sending both an anonymous type and a dynamic:

var middleware = new HttpEventCollectorResendMiddleware(100);
var ecSender = new HttpEventCollectorSender(new Uri("https://localhost:8088"),
    "3E712E99-63C5-4C5A-841D-592DD070DA51",
    null,
    HttpEventCollectorSender.SendMode.Sequential,
    0,
    0,
    0,
    middleware.Plugin
);
ecSender.OnError += o => Console.WriteLine(o.Message);
ecSender.Send(Guid.NewGuid().ToString(), "INFO", null, new { Foo = "Bar" });
dynamic obj = new JObject();
obj.Bar = "Baz";
ecSender.Send(Guid.NewGuid().ToString(), "INFO", null, (JObject)obj);
await ecSender.FlushAsync();

Example walkthrough

First, we create "middleware." Splunk logging for .NET uses middleware to handle automatically resending event data if it is not able to send It initially. We use the HttpEventCollectorResendMiddleware object here, which uses an incremental back-off retry policy, and configure it to do 100 retries.

Next, we pass the Uri and Token parameters and set the metadata parameter to null. The metadata parameter is optional. We also set the send mode to Sequential. This mirrors what HttpEventCollectorTraceListener and HttpEventCollectorSink do. We could instead set it to Parallel, which would send the data at a higher throughput rate, but the events may not show up in sequence in Splunk Enterprise. The next three parameters relate to batching. Since we're not bothering with batching in this example, we set them all to 0. The last parameter accepts a delegate, for which the middleware exposes a Plugin property.

Once we configure the sender, we then add an error handler. Then we call Send, passing in an anonymous object. We then create a new JObject and call Send again, this time sending the object.

Finally, we call the FlushAsync method to force the sender to flush the events to HttpEventCollector.

This code assumes that the URI and token are both valid, and that HTTP Event Collector has been enabled and is reachable. Once we've run this code, the events are received and ingested by Splunk Enterprise, as shown in the following screen shot:

Screen shot of JSON objects in Splunk Enterprise search