LINQ on Splunk
Language-Integrated Query (LINQ) is a set of features
introduced in Visual Studio 2008 that extends powerful query capabilities for
use by applications. LINQ is widely used in web applications and services in a
variety of industries such as finance, retail, telecommunication and insurance.
LINQ provides two features. It enables constructs in the language that have
become very popular with web developers. And it abstracts the underlying data
source while enabling the same query logic to operate against any data source.
The language syntax for querying are available as standard query operators and
they are very much in nature to SQL ANSI standard which have an established
foundation in data storage and retrieval. While SQL is ubiquitously used for
relational data, the standard query operators are not restricted to work
against a database. LINQ can be executed on XML, plaintext, CSV, databases etc.
so long as the standard query operators can see a sequence of objects on which
to perform their operations such as selection, conversion, merging etc. This
enumeration of the items in a sequence is defined by an interface popularly
known as IEnumerable. The behavior
demanded from collections implementing this interface is that the items can be
extracted via iterations. At the same time, the data providers implement an
interface called the IQueryable that can take an expression tree and execute it
on the data source. Together these interfaces connect an application to the
data source with the help of powerful querying capabilities.
Splunk also provides programmable interfaces to its data
source via what are known as Entities and Collections, which provide a common
mechanism for a plethora of resources. Most of the SDK makes REST API calls and
hence operates on a single resource or a collection. Entity and
EntityCollection both derive from common base class Resource. Note that this pattern exposes the resources
per se and not their querying capabilities.
When objects are instantiated they are local snapshots of values as read
and copied from the server. Changes made on the server are not available until
a refresh is called. Compare this with the object relational mapping (ORM)
software that use LINQ patterns. The ORMs are able to interpret that the state
of an object has become ‘dirty’ from local updates and needs to save to disk
seamlessly. At the same time, an
observer pattern notifies the application of the updates made to the server
data.
Splunk does have its own powerful querying
capabilities. Splunk search operators
are similar to Unix style piped operators and are also available for use from
the same SDK. These are exposed as searches and jobs and they can take a string
containing the search query and execute it on the server. The results are then
returned to the caller. Searches can be either one shot or real time. The one-shot is a synchronous API and it returns
a stream. Real-time searches return live events as they are indexed, and this
type of search continues to arrive. To view the results from a real-time
search, we view the preview results.
Some parameters to the Search Job enable this mode. In the normal
execution mode, a Search Job is first created with a search string and then the
job is polled for completion. A built-in XML parser can then render the stream
of results.
Thus we note that there is a mismatch in the way the items
are retrieved from the server from the server to the application between LINQ and
Splunk search. That said, the power of Splunk can be made available via
adapters via LINQ patterns.
No comments:
Post a Comment