Introduction

While Splunk server provides powerful reporting abilities, the possibilities for developing your own custom reporting solution are almost endless. All you need is the Splunk .NET SDK and a charting component of your choice. In this article we'll introduce how you can easily build a simple web report in Visual Studio 2005.

Details

Requirements

1. Splunk server with indexed http server logs
2. Splunk .NET SDK library
3. Any charting library compatible with .NET
4. Visual Studio 2005 with .Net framework installed

Preparation

• In this example we use logs, generated by an Apache server. You can refer to Splunk documentation for guidance on how to index Apache logs with Splunk. For now we would assume that you have them indexed and the Splunk server is up and running.

• Make sure you have downloaded the latest .NET SDK library. You can get it here.

• For charts drawing you can use any commercial or open-source solutions available for .NET. In this sample we used a library, called ZedGraph, which is licensed under the LGPL. It's highly configurable and provides a set of the most popular chart types.

Development steps

• Launch Visual Studio 2005 and create a new Windows Forms project.

• Add references to Splunk .NET SDK library and ZedGraph library

• Drag as many ZedGraph controls as you need from toolbox to your form

• Drag basic controls, that you will later use to specify Splunk server address, authentication information, time range and any optional parameters.

• Drag an action button that would execute the requested query

• Write code, that would connect to Splunk server, using provided authentication information:

SplunkConnection con = new SplunkConnection(hostPath);
con.Authenticate(username, password);

SearchManager searchMgr = new SearchManager(con);
this.searchMgr = searchMgr;

• Write a method that would execute a search query

private SearchEvent[] ExecuteSearch(DispatchParameters parameters)
{
    SearchJob job = searchMgr.SyncSearch(parameters);
    SearchEvent[] results = job.GetResults(null);
    job.Cancel();

    return results;
}

• Now you can add specific methods for getting list of hosts that referred to your pages, most visited pages, popular browsers and so on. Initialize SearchString parameter of DispatchParameters object with relevant Splunk search query. Running search will return an array of search results that you can further use to initialize your charts. Make sure your request is valid, i.e. you specify the correct sourcetype and field name.

public SearchEvent[] GetReferers(DispatchParameters parameters )
{
    parameters.SearchString = "search sourcetype::access_* | top limit=10 referer_domain";
    return ExecuteSearch(parameters);
}

• Add code that initializes ZedGraph controls after the form is created. Please refer to the documentation of a charting library you use in your application for details.

• Finally, add a handler for the action button on your form. It will call methods you've written in previous step and pass their results to ZedGraph chart controls.

• Build and run your application.

Usage

The sample project with source and executables can be downloaded here.

At launch, our sample will ask you to provide server url and authentication data. After clicking the Connect button, it will try to establish a connection with that server.

If connection was successful, you can select start and end time for your report using time picker controls on the top of the form. Click the "Generate" button when you select the time range.

The form will update and charts will appear on the form.

You can connect to a different server by entering a new address in Server URL field and clicking the "Generate" button. You'll be asked user credentials and then follow previous steps to generate a new report.