Cmdlets for Splunk

Build 24.0.8963

Establishing a Connection

With the CData Cmdlets users can install a data module, set the connection properties, and start scripting. This section provides examples of using our Splunk Cmdlets with native PowerShell cmdlets, like the CSV import and export cmdlets.

Installing and Connecting

If you have PSGet, installing the cmdlets can be accomplished from the PowerShell Gallery with the following command. You can also obtain a setup from the CData site. 

Install-Module SplunkCmdlets

The following line is then added to your profile, loading the cmdlets on the next session: 

Import-Module SplunkCmdlets;

You can then use the Connect-Splunk cmdlet to create a connection object that can be passed to other cmdlets: 

$conn = Connect-Splunk -User 'MyUserName' -Password 'MyPassword' -URL 'MyURL'

Connecting to Splunk APIs

You must specify the URL to a valid Splunk server. By default the cmdlet makes requests on port 8089.

By default, the cmdlet attempts to negotiate TLS/SSL with the server. For more information on TLS/SSL configuration, see SSL Configuration.

Authenticating to Splunk

There are two ways to authenticate to Splunk data: logging in with Splunk credentials, or using a Splunk authentication token.

Splunk Credentials

To authenticate with Splunk credentials, set User and Password to your login credentials.

Splunk Token

When you access Splunk via an authentication token, you can access the Splunk platform using Representational State Transfer (REST) calls. On Splunk Enterprise, you can also use the CLI. Both of these methods enable you to access the instance and make requests without having to authenticate via credentials.

Note: Unless you are accessing a search head cluster (where you can use the same token to access all available head clusters), you must have a separate token for each instance being accessed.

To authenticate with a Splunk token:

  1. In the Splunk UI, navigate to Users and Authentication > Tokens to access your assigned authentication token. If you do not have one, request one from the administrator of the instance you want to access.
  2. Set the AuthScheme to AccessToken; and the AccessToken property to your Splunk token.

Retrieving Data

The Select-Splunk cmdlet provides a native PowerShell interface for retrieving data: 

$results = Select-Splunk -Connection $conn -Table "DataModels" -Columns @("Name, Owner") -Where "Id='SampleDataset'"
The Invoke-Splunk cmdlet provides an SQL interface. This cmdlet can be used to execute an SQL query via the Query parameter.

Piping Cmdlet Output

The cmdlets return row objects to the pipeline one row at a time. The following line exports results to a CSV file: 

Select-Splunk -Connection $conn -Table DataModels -Where "Id = 'SampleDataset'" | Select -Property * -ExcludeProperty Connection,Table,Columns | Export-Csv -Path c:\myDataModelsData.csv -NoTypeInformation

You will notice that we piped the results from Select-Splunk into a Select-Object cmdlet and excluded some properties before piping them into an Export-CSV cmdlet. We do this because the CData Cmdlets append Connection, Table, and Columns information onto each row object in the result set, and we do not necessarily want that information in our CSV file.

However, this makes it easy to pipe the output of one cmdlet to another. The following is an example of converting a result set to JSON: 

 
PS C:\> $conn  = Connect-Splunk -User 'MyUserName' -Password 'MyPassword' -URL 'MyURL'
PS C:\> $row = Select-Splunk -Connection $conn -Table "DataModels" -Columns (Name, Owner) -Where "Id = 'SampleDataset'" | select -first 1
PS C:\> $row | ConvertTo-Json
{
  "Connection":  {

  },
  "Table":  "DataModels",
  "Columns":  [

  ],
  "Name":  "MyName",
  "Owner":  "MyOwner"
}

Deleting Data

The following line deletes any records that match the criteria: 

Select-Splunk -Connection $conn -Table DataModels -Where "Id = 'SampleDataset'" | Remove-Splunk

Modifying Data

The cmdlets make data transformation easy as well as data cleansing. The following example loads data from a CSV file into Splunk, checking first whether a record already exists and needs to be updated instead of inserted. 

Import-Csv -Path C:\MyDataModelsUpdates.csv | %{
  $record = Select-Splunk -Connection $conn -Table DataModels -Where ("Id = `'"+$_.Id+"`'")
  if($record){
    Update-Splunk -Connection $conn -Table DataModels -Columns @("Name","Owner") -Values @($_.Name, $_.Owner) -Where "Id  = `'$_.Id`'"
  }else{
    Add-Splunk -Connection $conn -Table DataModels -Columns @("Name","Owner") -Values @($_.Name, $_.Owner)
  }
}

Copyright (c) 2024 CData Software, Inc. - All rights reserved.
Build 24.0.8963