Playing with the Splunk C# SDK–from PowerShell

As those who know me know, I Am Not A Developer. I could convincingly play one on TV, but that’s not the point. The point is this: I don’t have a copy of Visual Studio, and I don’t want to! When in Windows, PowerShell is my language of choice (and for good reason). This blog post will show you, in pretty short order, how to take the newly released Splunk SDK for C#, and use it to connect to a Splunk search head or indexer, but doing so from PowerShell instead of C#.

First, let me acknowledge that we do have a very cool Splunk PowerShell Resource Kit that you can download today. It includes over 40 PowerShell-Splunk cmdlets that support numerous search, deployment, and configuration scenarios. However, it connects to the REST API directly using HTTP, which means there’s a fair bit of redundant code that would’ve been saved, had the C# SDK existed when the resource kit was written. PowerShell, like C#, is built on top of .NET, and it can execute C# code “natively” without much (if any) performance penalty, so there’s no reason not to use the technique that I’m about to explain.

I have published a sample PowerShell module on github called Splunk2, so as not to conflict with the resource kit. Today, there’s only two functions: Connect-Splunk and Disconnect-Splunk, but as you’ll see, this is enough for you to at least get started down the path.

To make this code work, all you have to do is create a Splunk2 folder in your PSModulePath (defined on MSDN), and place inside:

You don’t need any of the other files from the SDK, but you may find the Examples folder interesting. It contains C# code of course, but the code is similar enough to PowerShell that given a bit of study, you might be able to convert the examples to PowerShell. And that’s why I can play a developer on TV.

I went so far as to create proper help and examples in the module, because PowerShell makes that stuff easy. Open a PowerShell prompt, type

Import-Module splunk2

…and connect to Splunk! Note that the module requires PowerShell version 3 because I didn’t want to use workarounds for things which have been fixed since version 2. (For those curious, I’m referring specifically to $PSScriptRoot, and proper handling of a PSCredential object in the param() block of a function.)

Below is a transcript of my PowerShell session where you can see the code in action. The actual “hey, what can I do with this” part is bold and red. Can’t miss it. Also be sure to try piping the $SPLUNK_SERVICE object to Get-Member, and you’ll see there are several methods to play with.

PS C:\Users\hrottenberg> Import-Module Splunk2
PS C:\Users\hrottenberg> get-command -Module Splunk2
CommandType     Name                                               ModuleName
-----------     ----                                               ----------
Function        Connect-Splunk                                     Splunk2
Function        Disconnect-Splunk                                  Splunk2
PS C:\Users\hrottenberg> help Connect-Splunk
Connects to a Splunk server
Connect-Splunk [-ComputerName] <String> [-Port <Int32>] -Credential <PSCredential> [<CommonParameters>]
This function connects to a Splunk server via the REST API and creates a service object called $SPLUNK_SERVICE.
This object can be used to interact with Splunk directly, or is used by other functions in this module to
share a persistent session.
To see the examples, type: "get-help Connect-Splunk -examples".
For more information, type: "get-help Connect-Splunk -detailed".
For technical information, type: "get-help Connect-Splunk -full".
PS C:\Users\hrottenberg> Connect-Splunk -ComputerName -Credential (Get-Credential)
cmdlet Get-Credential at command pipeline position 1
Supply values for the following parameters:
Token   : Splunk 4e691cd33d3981054803ca9c5b62ba82
Version : 5.0.1
Host    :
Port    : 8089
Prefix  :
Scheme  : https
PS C:\Users\hrottenberg> help Connect-Splunk -Examples
Connects to a Splunk server
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Connect to a Splunk server and list all indexes greater than 100 MB in size
Connect-Splunk -ComputerName
$idx = $SPLUNK_SERVICE.GetIndexes()
$idx | Where-Object { $_.CurrentDBSizeMB -gt 100 } | Format-Table name, HomePathExpanded, CurrentDBSizeMB -AutoSize
PS C:\Users\hrottenberg> $idx = $SPLUNK_SERVICE.GetIndexes()
PS C:\Users\hrottenberg> $idx | Where-Object { $_.CurrentDBSizeMB -gt 100 } | Format-Table name, HomePathExpanded, CurrentDBSizeMB -AutoSize   Name HomePathExpanded CurrentDBSizeMB ---- ---------------- --------------- _internal /Applications/splunk/var/lib/splunk/_internaldb/db 4215 isilon /Applications/splunk/var/lib/splunk/isilon/db 624 main /Applications/splunk/var/lib/splunk/defaultdb/db 156
PS C:\Users\hrottenberg> Disconnect-Splunk
Token   :
Version : 5.0.1
Host    :
Port    : 8089
Prefix  :
Scheme  : https
PS C:\Users\hrottenberg> $SPLUNK_SERVICE.GetIndexes()
The following exception occurred while trying to enumerate the collection: "The remote server returned an error: (401)
At line:1 char:1
+ $SPLUNK_SERVICE.GetIndexes()
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo          : NotSpecified: (:) [], ExtendedTypeSystemException
+ FullyQualifiedErrorId : ExceptionInGetEnumerator

Hal Rottenberg

Posted by


Show All Tags
Show Less Tags