topic Splunk API PDF Generation in Splunk Dev

Splunk API PDF Generation

BrownNicholasGS — Tue, 14 Nov 2023 18:11:25 GMT

I am using splunk 8.2.12 and am trying to generate a pdf via an existing alert action using splunk api calls. The action was originally developed for automated ticketing within another app when a splunk alert is triggered. The end goal is to be able to upload the pdf of search results based on the alert to the ticket in an automated way. below is the current state of the code:

def create_pdf_for_ticket(payload, output_file): # Extract relevant information from the payload ticket_id = payload.get('sid') index = payload.get('result', {}).get('index') sourcetype = payload.get('result', {}).get('sourcetype') # Construct the search query based on the extracted information search_query = f'search index={index} sourcetype={sourcetype} sid={ticket_id}' # Make the API request to execute the search and get the results search_payload = { 'search': search_query, 'output_mode': 'json', } search_response = requests.get('http://localhost:8089/services/search/jobs/export', params=search_payload, headers=post_headers) # Check if the search request was successful if search_response.status_code == 200: # Save the search results to a file with open(output_file, 'wb') as pdf_file: pdf_file.write(search_response.content) print(f"PDF created successfully at: {output_file}") else: print(f"Error creating PDF: {search_response.status_code} - {search_response.text}") def main(): ***** # Create PDF for the ticket output_file = os.environ['SPLUNK_HOME'] + '/etc/apps/Splunk_Ivanti/local/ticket.pdf' create_pdf_for_ticket(payload, output_file) *****

Re: Splunk API PDF Generation

_JP — Thu, 16 Nov 2023 21:49:27 GMT

When you say, "upload the pdf of search results based on the alert to the ticket in an automated way" are you wanting to take the PDF that the code creates (the file /etc/apps/Splunk_Ivanti/local/ticket.pdf) and post it to some other endpoint?

If the answer is yes, then you'd need to write the python to do that send. If you want an example how this is done, take a look at the %SPLUNK_HOME%/etc/apps/alert_webhook/bin/webhook.py. That's the code behind the Webhook Alert Action and it does a fairly simple send of data to a URL.

Re: Splunk API PDF Generation

BrownNicholasGS — Fri, 17 Nov 2023 13:28:08 GMT

JP I already have a connection to the other app in another part of my python you aren't seeing- this is a *new feature* on a app that I had previously built.

I guess the real question is - is there a way to

1) call Splunk's built in PDF GEN with a SID from an alert action or

2) run a report based on info from an alert action

3) some other method I'm just not thinking of

I do have a new working version that uses fpdf to create a pdf based on the xml output of the jobs/{SID}/results API call so if there is no other way I may just have to bite the bullet on that.

Re: Splunk API PDF Generation

_JP — Fri, 17 Nov 2023 18:20:38 GMT

I don't know off the top of my head if you can get to the PDF generation functionality from within Python - I've never tried in python and I haven't been able to find any documentation within Splunk's documentation if they officially expose those calls in their Python SDK. The PDF stuff in Splunk is based off of ReportLab, and lives in %SPLUNK_HOME%\Python-3.7\Lib\site-packages\reportlab, so you can poke aroundthere a bit to see if that helps. I wasn't finding anything obvious of Splunk-written python calling the ReportLab stuff to generate a PDF, your luck might be better.

You can get a PDF generated from a REST endpoint - but do keep in mind that the overall PDF generation in Splunk is dashboard-centric, not search-centric. So you will need to create a Dashboard that renders the results for your SID, and then have that be generated as a PDF. Here are a few posts of people generating the PDF via a REST call which you can do from the CLI, within Python, etc. Once you have those bytes you can send those on to where you need:

Solved: Re: Generate PDF from View in REST API - Splunk Community

Trigger a PDF via the command line - Splunk Community

Historically the built-in PDF generation of Splunk has left something to be desired. It's just been OK...There are some apps on Splunkbase that help with various PDF things you could look into as well:

PDF Apps: https://splunkbase.splunk.com/apps?keyword=pdf