Splunk Dev

Restricted Searches and job inspector- Can I use a script that will affect all dashboards?

bengevaaa
Engager

Hello, Let's say I have many dashboards, inside each dashboard I have 10 base searches, and many visualizations on it.

Some users that use the dashboards have "Restricted Rules" on the searches, sometimes by time or by size.

My problem is that the end user's that enter the dashboards and choose the time, he can't know that his data that he sees sometimes limited to the rules that apply on him. The normal way to know if the data that you see is limited in each panel is to use the hover small Buttons and click on inspect Button. 

I try to make a script that make a popup that aware the user if he got restricted but there must be a better way to achieve a solution for this.

I’ve seen that Splunk have built in option in the drop down menu of a search that show that message if he found some.. anyone have an idea how to implement this in script that will affect all dashboards?

I will attach the script that I did and some pictures to show what I mean..

 

 

require([
    'splunkjs/mvc',
    "splunkjs/mvc/searchmanager",
    'jquery',
    "/static/app/mce/javascript/popup_Modal.js",
    "splunkjs/mvc/simplexml/ready!"
],
    function (mvc, SearchManager, $, Modal) {


        var registry = mvc.Components;
        console.log(registry)

        var envTokenModel = mvc.Components.get('env');

        // Grab a specific env token
        var username = envTokenModel.get('user');
        var app = envTokenModel.get('app');
        var page = envTokenModel.get('page');
        var searchMceJobs = "| search index=_introspection | rename search_id as JobId | join left JobId [| rest /services/search/jobs | rename dispatchState as Status eai:acl.app as App title as Search author as User runDuration as Runtime published as Published id as ID provenance as Provenance | rex field=Provenance \"UI:Dashboard:(?<Dashboard>.+)\" | search Dashboard=*| rex field=ID \"(?<JobId>[^//]*)$\"| eval Status=mvjoin(mvsort(mvdedup(split(mvjoin(Status,\",\"),\",\"))),\",\")| eval Runtime=round(Runtime,1) |  where User = " + '"' + username + '"' + " And App = " + '"' + app + '"' + " And Dashboard = " + '"' + page + '"' + " ] | stats values(messages.info) as MSG by JobId User Dashboard App updated | table MSG | sort updated"

        // Log all env tokens
        console.log(envTokenModel.toJSON());

        // React to env token changes:
        envTokenModel.on('change', function () {
            //console.log(arguments);
        });


        setTimeout(function run() {


            // Create the search manager
            var mysearch = new SearchManager({
                id: 'MceSearch',
                cache: false,
                preview: true,
                search: searchMceJobs,
                earliest_time: "-10s",
                latest_time: "now",
            });
            mvc.Components.revokeInstance("MceSearch");

            

            mysearch.on('search:done', function (properties) {
                console.log(properties.content)
                console.log(properties.content.resultCount)
                if (properties.content.resultCount > 0) {
                    // Print the search job properties
                    console.log("DONE!\nSearch job properties:", properties.content.resultCount);
                     oldResult = properties.content.resultCount



                    var myModal = new Modal("popupModal", {
                        title: properties.content.resultCount,
                        backdrop: 'static',
                        keyboard: false,
                        destroyOnHide: true,
                        type: 'normal'
                    });
                    $(myModal.$el).on("hide", function () {
                        //console.log('test123')
                        // Not taking any action on hide, but you can if you want to!
                    })
                    myModal.body
                        .append($(`
                    <p>${properties.content.resultCount}</p>`));
                    myModal.footer.append($('<button>').attr({
                        type: 'button',
                        'data-dismiss': 'modal'
                    }).addClass('btn btn-primary').text('ok').on('load', function () {
                        // Not taking any action on Close... but I could!        
                    }))
                    myModal.show(); // Launch it!

                    
                    


                }
            });
            //setInterval(run, 5000);
        }, 5000);
        console.log('timeout active')
       
        //



    });

 

 

 

help1.pnghelp2.pnghelp3.png

0 Karma
1 Solution

kamlesh_vaghela
SplunkTrust
SplunkTrust

@bengevaaa 

I have another way to check the search log using javascript, it may be useful to you. I'm sharing my sample code here. 

<dashboard version="1.1" script="js/a.js">
  <label>Restricted Searches and job inspector</label>
  <row>
    <panel>
      <table>
        <search id="searchTkn">
          <query>index="_internal" | stats count by sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

 

 

require([
  'underscore',
  'jquery',
  'splunkjs/mvc',
  'splunkjs/mvc/tableview',
  'splunkjs/mvc/simplexml/ready!'
], function(_, $, mvc) {
    console.log("searchTkn");
    var searchTkn = mvc.Components.getInstance("searchTkn");
    var service = mvc.createService({ owner: "nobody" });

    searchTkn.on("search:done", function(properties) {
        console.log(properties);
        console.log(properties.links);
        console.log(properties.links["search.log"]);

        service.request(properties.links["search.log"], "GET", null, null, null, { "Content-Type": "application/json" }, null).done(function(response) {
            console.log(response);
            // Apply your grep OR filter logic as per your requirement
        });
    })
});

 

Use the above code to get the search log and integrate Modal View if you get your required error/ information in log.

I hope this will help you.

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@bengevaaa 

I have another way to check the search log using javascript, it may be useful to you. I'm sharing my sample code here. 

<dashboard version="1.1" script="js/a.js">
  <label>Restricted Searches and job inspector</label>
  <row>
    <panel>
      <table>
        <search id="searchTkn">
          <query>index="_internal" | stats count by sourcetype</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</dashboard>

 

 

require([
  'underscore',
  'jquery',
  'splunkjs/mvc',
  'splunkjs/mvc/tableview',
  'splunkjs/mvc/simplexml/ready!'
], function(_, $, mvc) {
    console.log("searchTkn");
    var searchTkn = mvc.Components.getInstance("searchTkn");
    var service = mvc.createService({ owner: "nobody" });

    searchTkn.on("search:done", function(properties) {
        console.log(properties);
        console.log(properties.links);
        console.log(properties.links["search.log"]);

        service.request(properties.links["search.log"], "GET", null, null, null, { "Content-Type": "application/json" }, null).done(function(response) {
            console.log(response);
            // Apply your grep OR filter logic as per your requirement
        });
    })
});

 

Use the above code to get the search log and integrate Modal View if you get your required error/ information in log.

I hope this will help you.

 

Thanks
KV
If any of my replies help you to solve the problem Or gain knowledge, an upvote would be appreciated.

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...