All Apps and Add-ons
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Fireye Analytics Daily Report

jgoddard
Path Finder
‎07-31-2015 10:12 AM

I get nothing but errors from this report. I suspect this is due to Splunk retiring the PDF generator as of 6.0, but that might not be it.

The email report error message states:

An error occurred while generating the PDF. Please see python.log for detail

Looking at the python log, I see:
2015-07-30 23:58:01,684 +0000 INFO sendemail:954 - sendemail pdfService = pdfgen
2015-07-30 23:58:01,684 +0000 INFO sendemail:1080 - sendemail:mail effectiveTime=1438300680
2015-07-30 23:58:02,078 +0000 INFO pdfgen_endpoint:386 - pdf time-of-report=1438300680.0
2015-07-30 23:58:02,092 +0000 ERROR pdfgen_endpoint:188 - Bailing out of Integrated PDF Generation. Exception raised while preparing to render "Untitled" to PDF. Row on line=3 specifies row grouping but has <panel> children, which is not allowed
Traceback (most recent call last):
File "/opt/splunk/etc/system/bin/pdfgen_endpoint.py", line 162, in initialize
sessionKey=self.sessionKey)
File "/opt/splunk/lib/python2.7/site-packages/splunk/pdf/pdfgen_views.py", line 150, in getDashboardTitleAndPanels
return getDashboardTitleAndPanelsFromXml(dashboard.data, namespace, owner, sessionKey)
File "/opt/splunk/lib/python2.7/site-packages/splunk/pdf/pdfgen_views.py", line 160, in getDashboardTitleAndPanelsFromXml
dashboard = createDashboardFromXml(et.fromstring(dashboardXml), sourceApp=namespace)
File "/opt/splunk/lib/python2.7/site-packages/splunk/models/view_escaping/fromdash.py", line 107, in createDashboardFromXml
dashboard.rows.append(createRowFromXml(rowNode, sourceApp))
File "/opt/splunk/lib/python2.7/site-packages/splunk/models/view_escaping/fromdash.py", line 278, in createRowFromXml
raise Exception(('Row on line=%s specifies row grouping but has children, which is not allowed') % rowNode.sourceline)
Exception: Row on line=3 specifies row grouping but has <panel> children, which is not allowed

2015-07-30 23:58:02,114 +0000 ERROR sendemail:965 - An error occurred while generating a PDF: Failed to fetch PDF (status = 400): Unable to render PDF.<br/><ul><li>Bailing out of Integrated PDF Generation. Exception raised while preparing to render "Untitled" to PDF. Row on line=3 specifies row grouping but has <panel> children, which is not allowed</li></ul>

I am wondering what the fix is for this. I'd love to get the report, don't care if its PDF format or not.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

TonyLeeVT
Builder
‎08-23-2015 02:43 PM

Ouch!! After a few hours of troubleshooting it is the simplest thing that gets you... Apparently the extra validation from Splunk v6.2 does not like the grouping=7 attribute shown in the code snippet below. By deleting that attribute from the dashboard it fixes the issue. I hope to release an update to the app this weekend which will solve this and update the report at the same time. 

<dashboard stylesheet="custom.css">
  <label>FireEye Analytics</label>
  <row grouping="7">
    <panel>
      <single>

To help assist others in troubleshooting, this is the process I followed:

Check the date on the Splunkbox:
============================
date
Sun Aug 23 10:03:04 EDT 2015

Setup reporting:
=============
Help -> Setup
Enabled the report, adjusted the cron schedule

Artifacts:
=======
Setup modifies the following file, but you cannot modify the file with a text editor and expect cron to kick off:
/opt/splunk/etc/apps/FireEyev3/local/savedsearches.conf

Splunk log file:
tail -f /opt/splunk/var/log/splunk/python.log

2015-08-23 10:04:01,715 -0400 INFO sendemail:948 - sendemail pdfService = pdfgen
2015-08-23 10:04:01,716 -0400 INFO sendemail:1072 - sendemail:mail effectiveTime=1440338640
2015-08-23 10:04:02,187 -0400 INFO pdfgen_endpoint:400 - pdf time-of-report=1440338640.0
2015-08-23 10:04:07,509 -0400 INFO sendemail:1095 - Generated PDF for email
2015-08-23 10:08:47,828 -0400 INFO sendemail:109 - Sending email. subject="Splunk Report: Daily Analytics Report", results_link="httpx://splunkbox:443/app/FireEye_v3/@go?sid=scheduler_nobody_RmlyZUV5ZV92Mw_RMD592c3f775b24f7408_at_1440338640_1", recipients="[u'Tony.Lee -at- fireeye. com']"

Mail log file:
tail -f /var/log/maillog

Aug 23 10:08:47 splunkbox sendmail[25238]: t7NE47pY025238: from=, size=16929, class=0, nrcpts=1, msgid=201508231408.t7NE47pY025238@DN-SPLUNK-01, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
Aug 23 10:08:47 splunkbox sendmail[25238]: t7NE47pY025238: to=, delay=00:00:00, mailer=esmtp, pri=46929, dsn=4.4.3, stat=queued

Gotchas:
=======
Splunk must be restarted every time the analytics report file changes - Painful...
The cron job must be edited from the GUI to take affect

View solution in original post

Reply
Solved! Jump to solution
Solution

TonyLeeVT
Builder
‎08-23-2015 02:43 PM

Ouch!! After a few hours of troubleshooting it is the simplest thing that gets you... Apparently the extra validation from Splunk v6.2 does not like the grouping=7 attribute shown in the code snippet below. By deleting that attribute from the dashboard it fixes the issue. I hope to release an update to the app this weekend which will solve this and update the report at the same time. 

<dashboard stylesheet="custom.css">
  <label>FireEye Analytics</label>
  <row grouping="7">
    <panel>
      <single>

To help assist others in troubleshooting, this is the process I followed:

Check the date on the Splunkbox:
============================
date
Sun Aug 23 10:03:04 EDT 2015

Setup reporting:
=============
Help -> Setup
Enabled the report, adjusted the cron schedule

Artifacts:
=======
Setup modifies the following file, but you cannot modify the file with a text editor and expect cron to kick off:
/opt/splunk/etc/apps/FireEyev3/local/savedsearches.conf

Splunk log file:
tail -f /opt/splunk/var/log/splunk/python.log

2015-08-23 10:04:01,715 -0400 INFO sendemail:948 - sendemail pdfService = pdfgen
2015-08-23 10:04:01,716 -0400 INFO sendemail:1072 - sendemail:mail effectiveTime=1440338640
2015-08-23 10:04:02,187 -0400 INFO pdfgen_endpoint:400 - pdf time-of-report=1440338640.0
2015-08-23 10:04:07,509 -0400 INFO sendemail:1095 - Generated PDF for email
2015-08-23 10:08:47,828 -0400 INFO sendemail:109 - Sending email. subject="Splunk Report: Daily Analytics Report", results_link="httpx://splunkbox:443/app/FireEye_v3/@go?sid=scheduler_nobody_RmlyZUV5ZV92Mw_RMD592c3f775b24f7408_at_1440338640_1", recipients="[u'Tony.Lee -at- fireeye. com']"

Mail log file:
tail -f /var/log/maillog

Aug 23 10:08:47 splunkbox sendmail[25238]: t7NE47pY025238: from=, size=16929, class=0, nrcpts=1, msgid=201508231408.t7NE47pY025238@DN-SPLUNK-01, proto=ESMTP, daemon=MTA, relay=localhost [127.0.0.1]
Aug 23 10:08:47 splunkbox sendmail[25238]: t7NE47pY025238: to=, delay=00:00:00, mailer=esmtp, pri=46929, dsn=4.4.3, stat=queued

Gotchas:
=======
Splunk must be restarted every time the analytics report file changes - Painful...
The cron job must be edited from the GUI to take affect

Reply
Solved! Jump to solution

jgoddard
Path Finder
‎07-31-2015 10:20 AM

from the Known Issues:
The PDF Report Server App, which was deprecated in version 6.0, has been removed. In Splunk 6.2, you cannot generate PDFs from dashboards that are implemented using advanced XML.

Not sure if that is the root issue for this report or not.

0 Karma
Reply
Solved! Jump to solution

TonyLeeVT
Builder
‎08-23-2015 11:29 AM

Sorry it took me so long to reply. I have been working on a couple of cool new features and this was not a straight forward issue to investigate. It appears between Splunk v6.1 and v6.2 some changes were made to pdfgen_endpoint.py which is used to generate the PDF that is then emailed. I ran the cron job to generate the PDF on both 6.1 and 6.2. When running it in 6.1, I did not receive the errors. When running it in 6.2, I had the same errors you had. Below is the MD5 hash of both files proving that a change was made.

7aee8e67477a85e8204c342b14fdf50a /opt/splunk/etc/system/bin/pdfgen_endpoint.py <-- 6.1
6a005480a506ea07573b196f936e1f7e /opt/splunk/etc/system/bin/pdfgen_endpoint.py <-- 6.2

It appears that in 6.2, pdfgen_endpoint.py is a little more strict in what is allowed in the Advanced XML dashboards.

Here is your clue:
"2015-08-23 14:16:02,635 -0400 ERROR pdfgen_endpoint:188 - Bailing out of Integrated PDF Generation. Exception raised while preparing to render "Untitled" to PDF. Row on line=3 specifies row grouping but has children, which is not allowed"

The dashboard has the following code:

<dashboard stylesheet="custom.css">
  <label>FireEye Analytics</label>
  <row grouping="7">
    <panel>
      <single>

I will need to figure out how to rewrite the dashboard to avoid the use of panel groupings and still achieve the same look and purpose. Hope that helps explain what happened.

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...