All Apps and Add-ons

Trigger shell script from dashboard button

Lucas_K
Motivator

I have a bit of a non-standard splunk question. I've been asked by a customer to have a button next to each result in a "dashboard" that would allow a use to click on it.

This button would run a shell script which will generate a helpdesk ticket (already works via alerts for specific searches).

The purpose of this is to quickly allow analysts to only create tickets for incidents as required.

The issues I see for this are :

  1. Button creation with appropriate http link parameters when clicked. I'm not sure even with the use of sideutils that this is even possible.

  2. Calling the shell script from the web page only using splunk. I could acheive the same results using another cgi web service but as this is splunk specific I would rather not have to install and configure another system for just a single function. I havn't seen anyway to directly call a splunk/bin/****.sh with the possible exeception of having a very narrow search that would always trigger. So perhaps the button could run a scheduled search with an always alert.

Confusing request but I'm not sure how else to phrase this.

Ideas?

edit: additional information. I'm looking to do a soap xml call with information provided by the search. URL's with parameters will possibly not work in this situation so I'm not sure what I can do.

1 Solution

sideview
SplunkTrust
SplunkTrust

This is totally possible using the latest version of Sideview Utils (2.2.9), and the Table module.

The Table module was released back in 2.2. Although for day-to-day use cases, Table is really simple to use, it has some dramatic features that can cover a really wide range of advanced cases. One of these is what we call the "module embedding" feature, where any number of other modules can be cloned and embedded into each row of the rendered Table.

For the use case you're talking about here, you'd simply embed a Button and a Search into the Table module, like so:

<module name="Search" layoutPanel="panel_row1_col1">
  <param name="search"><![CDATA[
    index=_internal source=*metrics.log group="per_sourcetype_thruput" | head 1000 | stats sum(kb) as totalKB by series | eval actions="PLACEHOLDER"
  ]]></param>

  <module name="Pager">

    <module name="Table">

      <module name="Button" group="row.fields.actions">
        <param name="allowAutoSubmit">False</param>

        <module name="Search">
          <param name="search">search series="$row.fields.series$" | table series totalKB | sendemail to=test@sideviewapps.com</param>

          <module name="CustomBehavior">
            <param name="requiresDispatch">True</param>
          </module>

        </module>
      </module>             
    </module>
  </module>
</module>

In fact this example ships in Sideview utils 2.2.9 as a hidden view called "testcases_for_table_action_buttons".

But for it to make sense to you, you should check out the new and quite comprehensive docs and examples that have been added around the new "embedding" feature. These docs are also new in 2.2.9. The feature really does open up a huge array of new use cases that previously would have required writing a custom module, or a an entire page rendered and driven by a custom python controller. Embed JSChart's, embed drilldowns, embed multi-level drilldowns, embed Pulldowns, embed TextFields..... You can go crazy and then some.

That said, in the 2.2.X versions prior to 2.2.9, there was a subtle bug in the Table module that prevented it from embedding the Button module correctly, so make sure to get 2.2.9 from the Sideview site.

Go to the site:
http://sideviewapps.com/apps/sideview-utils/

scroll down a bit and you'll see a link on the right that says "download full version (internal use only)".

Cheers. You can also follow us on Twitter @sideview_apps to get notified of new releases.

View solution in original post

dahz
New Member

did this work? What ticketing system works best with Splunk?

0 Karma

sideview
SplunkTrust
SplunkTrust

Two ways that I would look into. 1) you can write a custom search command in python - http://docs.splunk.com/Documentation/Splunk/latest/Search/Writeasearchcommand and then within it you can pretty much do anything you might need including calling a shell script via popen. 2) have a Redirector module inside that Button instead of a Search module, and to write a custom controller in SplunkWeb, also in Python.

Strangely, the docs about custom controllers have gone missing. Here's another answer about it though.
http://answers.splunk.com/answers/115237/add-button-to-view-to-call-script

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I am running on Sideview 2.4.9 and would like to run a shell script from a dashboard button. The example view "testcases_for_table_action_buttons" is to run a search to send email from dashboard button, but I couldn't figure out the way to execute shell script. Any pointer/example for doing that would be helpful (I am open for any less elegant way, HTML, mentioned by @sideview)

0 Karma

Lucas_K
Motivator

A follow up to this.

I saw in the example (test cases for table action button) the button triggers a search that then pipes its results to sendmail.

So I assume that the way to try and achieve my requirement would be to use the urlloader/redirector and use search results as parameters. The problem I have is that I need to craft the xml file to be used in a soap call. A normal url with additional "&key=data" parameters method won't work in this situation.

How would you go about doing a soap xml call from that button? Or alternatively call another app-system/bin located script and pass parameters or results to it.

Basically i'm looking to use information from a search which would populate an xml file which is then sent to a specific url.

At the moment all I do is use a triggered search to run a script. This script then parses the results.csv file and then inserts the results into a template xml file. It then does a curl call to the ticketing system providing this xml file on stdin. ie. /usr/bin/curl --data-binary @payload.xml -H 'Content-Type: text/xml ' http://myhelpdesk.local:8080/helpdesk

0 Karma

Lucas_K
Motivator

Thanks for that. Still trying to get my head around what was required.

Looks like I can just use a very similar configuration to the example custom search ( https://github.com/splunk/splunk-sdk-python/tree/master/examples/custom_search ).

So now I have the methods to 1. create the button. 2. create the expected behaviour when clicked!

"Just" need to get it working now. 😉

Thanks again!

0 Karma

sideview
SplunkTrust
SplunkTrust

sendemail is a python search command, and it's meant to just stand in for a custom search command that I assume you would write yourself. There are good docs on the Splunk site for how to create a custom search command in python. What I would head towards, is use the search command to craft your XML payload in python and do the soap call from there. Alternatively you could build a custom Python controller, and then use Redirector to hit it's URL.... The custom controller is probably the cleaner safer way to go, but there wasn't an off the shelf controller I could think of for the example

0 Karma

sideview
SplunkTrust
SplunkTrust

This is totally possible using the latest version of Sideview Utils (2.2.9), and the Table module.

The Table module was released back in 2.2. Although for day-to-day use cases, Table is really simple to use, it has some dramatic features that can cover a really wide range of advanced cases. One of these is what we call the "module embedding" feature, where any number of other modules can be cloned and embedded into each row of the rendered Table.

For the use case you're talking about here, you'd simply embed a Button and a Search into the Table module, like so:

<module name="Search" layoutPanel="panel_row1_col1">
  <param name="search"><![CDATA[
    index=_internal source=*metrics.log group="per_sourcetype_thruput" | head 1000 | stats sum(kb) as totalKB by series | eval actions="PLACEHOLDER"
  ]]></param>

  <module name="Pager">

    <module name="Table">

      <module name="Button" group="row.fields.actions">
        <param name="allowAutoSubmit">False</param>

        <module name="Search">
          <param name="search">search series="$row.fields.series$" | table series totalKB | sendemail to=test@sideviewapps.com</param>

          <module name="CustomBehavior">
            <param name="requiresDispatch">True</param>
          </module>

        </module>
      </module>             
    </module>
  </module>
</module>

In fact this example ships in Sideview utils 2.2.9 as a hidden view called "testcases_for_table_action_buttons".

But for it to make sense to you, you should check out the new and quite comprehensive docs and examples that have been added around the new "embedding" feature. These docs are also new in 2.2.9. The feature really does open up a huge array of new use cases that previously would have required writing a custom module, or a an entire page rendered and driven by a custom python controller. Embed JSChart's, embed drilldowns, embed multi-level drilldowns, embed Pulldowns, embed TextFields..... You can go crazy and then some.

That said, in the 2.2.X versions prior to 2.2.9, there was a subtle bug in the Table module that prevented it from embedding the Button module correctly, so make sure to get 2.2.9 from the Sideview site.

Go to the site:
http://sideviewapps.com/apps/sideview-utils/

scroll down a bit and you'll see a link on the right that says "download full version (internal use only)".

Cheers. You can also follow us on Twitter @sideview_apps to get notified of new releases.

sideview
SplunkTrust
SplunkTrust

Yes. Actually there is an easy mechanism on the Button module for exactly this sort of case. Bad news - it requires a customBehavior. Good news - it's an extremely simple customBehavior. Even better news - here it is:

if (typeof(Sideview)!="undefined") {
    Sideview.utils.declareCustomBehavior("confirmationPopup", function(buttonModule) {
        buttonModule.customClickHandler = function() {
            return window.confirm("are you sure?");
        }
    });
}

and put this param in your Button:

<param name="customBehavior">confirmationPopup</param>

sideview
SplunkTrust
SplunkTrust

It's totally fair that a bunch of UI nuance was missing from this simple answer from years back. Things humans expect like interaction feedback. 😉 There is a much better answer I posted today with a considerably better end user experience. https://answers.splunk.com/answers/384932/sideview-button-action-to-refresh-page.html

Lucas_K
Motivator

Revisited this question as i had a similar request come up again and pleasantly surprised to find new comments and additions! 

Thanks again Nick! @sideview 

0 Karma

phoenixdigital
Builder

Thanks for this Nick I have implemented some buttons in a table of results and they are calling the python scripts as expected.

However I have been asked if it is possible to add a popup confirmation to the button before the script is called?

Something like or exactly the same as 'confirm' in javascript. Is there a way to add javascript to the button?

0 Karma

Lucas_K
Motivator

Thank you for that clarification!

0 Karma

sideview
SplunkTrust
SplunkTrust

Note that Sideview Utils is free for internal use, so as long as the code being deployed belongs to your client and is being used by them for internal use only (and by you as their agent, only for use internal to their company), then the free internal use licensing will work fine.

0 Karma

Lucas_K
Motivator

Awesome thanks! Splunk should just buy this and embedded it as standard functionality 😉

Will have to give the latest internal version a go then its just a matter of convincing the client to buy it!

0 Karma

alacercogitatus
SplunkTrust
SplunkTrust

This can be done, but not with a button. Workflow Actions allow for these kind of setups, and will pass parameters to your ticketing system. Check out the links below for some examples/documentation.

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/CreateworkflowactionsinSplunkWeb#Set_up_a_...

http://docs.splunk.com/Documentation/Splunk/5.0/Knowledge/Aboutlookupsandfieldactions#Workflow_actio...

0 Karma

Lucas_K
Motivator

This is close but url parameters can't be used in this particular case. I need to somehow create the xml file that I can then send through to the helpdesk url.

My original post wasn't clear enough on this (will update it).

(very useful post regardless!)

0 Karma

Lucas_K
Motivator

Thanks for that. I hadn't actually seen this feature before.

Not exactly as I had envisioned this requirement to be met but might be passable until another method is found!

0 Karma

Lucas_K
Motivator

I have no rush or urgency on this at all.

My question was more a case of "if" it was possible and how it would be done.

Client had just asked for it as an extension to the existing functionality to create helpdesk tickets (scripted soap call) from alerts. I hadn't seen it done before and was unsure how it would be implemented.

0 Karma

sideview
SplunkTrust
SplunkTrust

It's the sort of thing that calls for the Table module's embedding feature, which is all new as of Sideview Utils 2.2. However putting together a testcase for you I've found an interesting bug that needs a bit of thought. Depending on when you need this solution, I can either fix the bug in 2.2.9 and sometime next week give you a solution where you embed Button modules into each row of a Table module. Or if you need it sooner I can give you a solution where we use the HTML module to do more or less the same thing but in a less elegant way.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...