BT

Reactive Extensions, Async, and Splunk

| by Jonathan Allen Follow 578 Followers on Oct 12, 2014. Estimated reading time: 1 minute |

The 2.0 version of the Splunk C# SDK is heavily invested in modern C# features. Every major operation from login-onwards is available via asynchronous methods. For example:

var service = new Service(Scheme.Https, "localhost", 8089);
await service.LogOnAsync("admin", "changeme");
var results = await service.ExportSearchResultsAsync
    ("search error",
    new SearchExportArgs {EarliestTime = "rt-1h", LatestTime = "rt"});

Glenn Block writes about this sample,

In the code I am using the ExportSearchResultsAsync method that will push results from the server continually as they are are available. I am then looping through the results and outputting each raw event. The result object is a Dynamic object allowing any fields that Splunk has extracted to be accessed as properties.

The results variable above is a SearchResultStream which also implements IObservable<T>. This means you can use it with the Reactive Extensions (Rx). Rx offers a push based programming model which fits well with Splunk’s real time manner. Additionally Rx provides a set of operators that you can use to act on the data as it is received in a declarative fashion for applying filtering logic, group by, ordering and more.

The pattern to take advantage of Splunk’s sampling capabilities is fairly straightforward. Simply convert the results into an Observable, set the sampling rate, and then subscribe to the results.

results
.ToObservable()
.Sample(new TimeSpan(0, 0, 5))
.Subscribe( Observer.Create<dynamic>(r => Console.WriteLine(r._raw)) );

Of course, this requires the use of the Reactive Extensions framework.

Logging

Another feature of this release is support for Semantic Logging Application Block (SLAB), which is part of Microsoft’s Enterprise Library. Unlike traditional logs, which are mostly string-based, a semantic log maintains separate fields for each data point in the log entry.

Since the list of captured fields varies significantly from event to event, a fully structured data store such as SQL Server is a poor fit. But Splunk, which is designed specifically to index unstructured and semi-structured data, is in theory a good combination.

In addition to the SLAB listener, the Splunk C# SDK also includes traditional Trace listeners.

Mobile Support

The SDK is a Portable Class Library (PCL), which means it can be used in apps written for the Windows Phone, iOS, Android, and the Windows Store.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT