Dashboards & Visualizations

Command line, graph, URL

jgauthier
Contributor

I'm not sure if what I would like to do is possible.

Interaction: Execute a command from the command line.

Result: Be emailed a link that point to a graph of the results.

I can do this in the GUI. Run a command, "Show Report", customize the report, and then get an URL for the report.

I'd like to automate the whole thing... from a command executed on the command line. Can I?

Thanks!

Tags (4)
0 Karma

gcoles
Communicator

Getting results from the command-line is relatively easy using the REST-based API and cURL or python code, similar to the examples shown here:

http://docs.splunk.com/Documentation/Splunk/4.2.5/Developer/RESTCreateSearch

However, tying the search output to the viewstates (graphical views, report definitions, etc), is a little more complicated. Viewstates contain the configuration for a particular report (the format, eg pie vs bar, axis, legend, etc etc). All view states are contained in either individual user preferences ($SPLUNK_HOME/etc/users/{username}) or in the $SPLUNK_HOME/etc/{app_name}/{local|default} folders in viewstates conf. Each viewstate has a short hash code, like *%3Agx7yogxl, which is a unique reference to that view state. So, if you save a search with a report view in it, a unique viewstate will be created for that report. If the report is not globally available, the viewstate will be present in the user that created the report view's folder.

Create your search as a saved search in splunkweb under one of the Apps (eg. 'Search'), including your report formatting etc. Ensure that the saved search has permissions such that it is possible for all users to view it (to ensure that the viewstate is also readable by those users).

Now you just need to run the REST-Based search as a user that has permissions to view and run the saved search, and send the users a link to your REST-based search ID number that includes the viewstate in the URL, like this:

http://{YOUR_SPLUNK_INSTANCE}/en-US/app/search/report_builder_display?sid=1326141643.8724&vs=*%3Agx7yogxl

Here is some python example code:

#!/usr/bin/python -u

import urllib
import httplib2
from xml.dom import minidom

clientSplunkUrl = 'http://your.splunk.domain'
# clientViewState found in viewstates.conf and referenced in saved search config
clientViewState = '*%3Agx7yogxl'
baseurl = 'https://{SPLUNK_SERVER}:8089'
userName = 'some-splunk-user'
password = 'some-splunk-password'

searchQuery = 'savedsearch "Top 10 Problems in X"'

serverContent = httplib2.Http().request(baseurl + '/services/auth/login',
    'POST', headers={}, body=urllib.urlencode({'username':userName, 'password':password}))[1]

sessionKey = minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue

serverContent = httplib2.Http().request(baseurl + '/services/search/jobs','POST',
    headers={'Authorization': 'Splunk %s' % sessionKey},body=urllib.urlencode({'search': searchQuery}))[1]

searchId = minidom.parseString(serverContent).getElementsByTagName('sid')[0].childNodes[0].nodeValue

print 'Splunk URL for graphical report:'
print clientSplunkUrl + '/en-US/app/search/report_builder_display?' + searchId + '&vs=' + clientViewState

jgauthier
Contributor

This is great. Thanks for the information. It's almost exactly what I am looking for, and I am going to figure out how to adapt it.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...