I'm not sure if what I would like to do is possible.
Interaction: Execute a command from the command line.
Result: Be emailed a link that point to a graph of the results.
I can do this in the GUI. Run a command, "Show Report", customize the report, and then get an URL for the report.
I'd like to automate the whole thing... from a command executed on the command line. Can I?
Thanks!
Getting results from the command-line is relatively easy using the REST-based API and cURL or python code, similar to the examples shown here:
http://docs.splunk.com/Documentation/Splunk/4.2.5/Developer/RESTCreateSearch
However, tying the search output to the viewstates (graphical views, report definitions, etc), is a little more complicated. Viewstates contain the configuration for a particular report (the format, eg pie vs bar, axis, legend, etc etc). All view states are contained in either individual user preferences ($SPLUNK_HOME/etc/users/{username}) or in the $SPLUNK_HOME/etc/{app_name}/{local|default} folders in viewstates conf. Each viewstate has a short hash code, like *%3Agx7yogxl, which is a unique reference to that view state. So, if you save a search with a report view in it, a unique viewstate will be created for that report. If the report is not globally available, the viewstate will be present in the user that created the report view's folder.
Create your search as a saved search in splunkweb under one of the Apps (eg. 'Search'), including your report formatting etc. Ensure that the saved search has permissions such that it is possible for all users to view it (to ensure that the viewstate is also readable by those users).
Now you just need to run the REST-Based search as a user that has permissions to view and run the saved search, and send the users a link to your REST-based search ID number that includes the viewstate in the URL, like this:
http://{YOUR_SPLUNK_INSTANCE}/en-US/app/search/report_builder_display?sid=1326141643.8724&vs=*%3Agx7yogxl
Here is some python example code:
#!/usr/bin/python -u
import urllib
import httplib2
from xml.dom import minidom
clientSplunkUrl = 'http://your.splunk.domain'
# clientViewState found in viewstates.conf and referenced in saved search config
clientViewState = '*%3Agx7yogxl'
baseurl = 'https://{SPLUNK_SERVER}:8089'
userName = 'some-splunk-user'
password = 'some-splunk-password'
searchQuery = 'savedsearch "Top 10 Problems in X"'
serverContent = httplib2.Http().request(baseurl + '/services/auth/login',
'POST', headers={}, body=urllib.urlencode({'username':userName, 'password':password}))[1]
sessionKey = minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue
serverContent = httplib2.Http().request(baseurl + '/services/search/jobs','POST',
headers={'Authorization': 'Splunk %s' % sessionKey},body=urllib.urlencode({'search': searchQuery}))[1]
searchId = minidom.parseString(serverContent).getElementsByTagName('sid')[0].childNodes[0].nodeValue
print 'Splunk URL for graphical report:'
print clientSplunkUrl + '/en-US/app/search/report_builder_display?' + searchId + '&vs=' + clientViewState
This is great. Thanks for the information. It's almost exactly what I am looking for, and I am going to figure out how to adapt it.