Everybody Splunk with the Splunk SDK

One of our partners in Asia came up with the interesting catch phrase “Everybody Splunk”, which we say internally. Today’s topic is about everybody using Splunk’s SDKs. As I’ve spoken to Splunk users, I’ve noticed that many of them are not aware of their existence. This topic has been discussed elsewhere in the development guide, but I’ll summarize. Splunk has SDK API to perform Search outside of using Splunk Web and the CLI that is available for

  • Java
  • Python
  • C#
  • PHP

If that doesn’t cover your favorite language, then, use the REST API which is the foundation for the SDKs. With the REST API, you can use any language you want that supports URI communication to search an index. The approach in each SDK is essentially the same. First authenticate, create the search string, iterate over the results, and then close the job. It’s that simple.

This brings me to the heart of today’s topic: Doing a Search in an application. Often developers are asked to look at time series data files (e.g. log files or application generated events) via an application. They may end up using libraries that help read, parse, and search files. Even if the code is simple, files that are only a few MBs in size may grow to be GBs in weeks. The point is that any search will be sequential and probably slow. If the data were indexed within Splunk as in just point Splunk to it, then a SDK could be used to perform the search. Because it is indexed, search time will have high performance characteristics and Splunk’s search capabilities and language will provide a rich interface to manufacture the search. In this manner, Splunk becomes part of the application, where search is an integral part of the development and production results. In a future blog, I’ll go over an example for using one of the SDKs.

Now, I just can’t resist adding some verse to Everybody Splunk. Don’t worry; I won’t quit my day job.

Everybody Splunk.
Superstars Dunk.
Everyone say hey.
Find the needle in the hay.
Let Splunk show you the way.

Nimish Doshi
Posted by

Nimish Doshi

Nimish is Director, Technical Advisory for Industry Solutions providing strategic, prescriptive, and technical perspectives to Splunk's largest customers, particularly in the Financial Services Industry. He has been an active author of Splunk blog entries and Splunkbase apps for a number of years.