Hello, I'm new here, and I just wanted to show off my latest work, writing a Perl package called Splunk which lets you conduct Splunk search engine queries from within your program.

Splunk, if you don't already know, is a commercial product that lots of large companies use. It's a search engine for syslog, but much, much more. It's a whole reporting thing too, but I'm not here to advertise for them.

I was given a task at work to create a daily report, pulling data from all over the place. Oracle queries, Splunk queries, etc. Even better, it has to setup SSH port forwarding tunnels to reach some of these servers.

To deal with the Splunk part, I wrote Splunk.pm. Here's an example how to use it:

Code:
#!/usr/bin/perl
######################################################################
# splunktest.pl
#
# shows off the Splunk.pm package for
# querying the splunk REST API from perl
#
# original author Patrick Wolfe - whistl034 (atsign) gmail (dot) com
#
######################################################################

use strict;
use warnings;
use Splunk;

&test_splunk(@ARGV);
exit(0);

######################################################################
sub test_splunk
{
	my $result;

	# initialize Splunk REST connection
	$Splunk::base_url = 'https://10.11.12.34:8089';
	$Splunk::splunk_username = 'myusername';
	$Splunk::splunk_password = 'mypassword';
	&Splunk::Initialize(0); # pass 1 to enable verbose debug output

	# perform a query (YOU MUST specify the time)
	$result = &Splunk::Query('earliest=-1h@h latest=-0h@h URL=* Time=* '
	  .'| stats count as Hits, count(eval(Time>10000)) as Long');

	# since we know there's only one row and we know the field names
	print "Last hour: ", $result->{0}->{'Hits'}, " Hits, ",
		$result->{0}->{'Long'}, " Long Transactions\n";

	# now try a query that returns more than one row
	$result = &Splunk::Query('earliest=-31m@m latest=-1m@m URL=* Time=* '
	  .'| timechart span=1m count as HPM, mean(Time) as ARTPM');

	# display the results returned
	foreach my $row (sort { $a <=> $b } (keys(%{ $result }))) {
		print "Row $row: ";
		foreach my $field (keys(%{ $result->{$row} })) {
			print $field, "=", $result->{$row}->{$field}, ", ";
		}
		print "\n";
	}

	# please call Cleanup when done, to terminate any SSH tunnels
	&Splunk::Cleanup();
}
and if anyone is interested, I'll post the whole Splunk.pm module. It's under 400 lines, but I don't want to flood the board my first time out.