Dashboards & Visualizations

Command line, graph, URL


I'm not sure if what I would like to do is possible.

Interaction: Execute a command from the command line.

Result: Be emailed a link that point to a graph of the results.

I can do this in the GUI. Run a command, "Show Report", customize the report, and then get an URL for the report.

I'd like to automate the whole thing... from a command executed on the command line. Can I?


Tags (4)
0 Karma


Getting results from the command-line is relatively easy using the REST-based API and cURL or python code, similar to the examples shown here:


However, tying the search output to the viewstates (graphical views, report definitions, etc), is a little more complicated. Viewstates contain the configuration for a particular report (the format, eg pie vs bar, axis, legend, etc etc). All view states are contained in either individual user preferences ($SPLUNK_HOME/etc/users/{username}) or in the $SPLUNK_HOME/etc/{app_name}/{local|default} folders in viewstates conf. Each viewstate has a short hash code, like *%3Agx7yogxl, which is a unique reference to that view state. So, if you save a search with a report view in it, a unique viewstate will be created for that report. If the report is not globally available, the viewstate will be present in the user that created the report view's folder.

Create your search as a saved search in splunkweb under one of the Apps (eg. 'Search'), including your report formatting etc. Ensure that the saved search has permissions such that it is possible for all users to view it (to ensure that the viewstate is also readable by those users).

Now you just need to run the REST-Based search as a user that has permissions to view and run the saved search, and send the users a link to your REST-based search ID number that includes the viewstate in the URL, like this:


Here is some python example code:

#!/usr/bin/python -u

import urllib
import httplib2
from xml.dom import minidom

clientSplunkUrl = 'http://your.splunk.domain'
# clientViewState found in viewstates.conf and referenced in saved search config
clientViewState = '*%3Agx7yogxl'
baseurl = 'https://{SPLUNK_SERVER}:8089'
userName = 'some-splunk-user'
password = 'some-splunk-password'

searchQuery = 'savedsearch "Top 10 Problems in X"'

serverContent = httplib2.Http().request(baseurl + '/services/auth/login',
    'POST', headers={}, body=urllib.urlencode({'username':userName, 'password':password}))[1]

sessionKey = minidom.parseString(serverContent).getElementsByTagName('sessionKey')[0].childNodes[0].nodeValue

serverContent = httplib2.Http().request(baseurl + '/services/search/jobs','POST',
    headers={'Authorization': 'Splunk %s' % sessionKey},body=urllib.urlencode({'search': searchQuery}))[1]

searchId = minidom.parseString(serverContent).getElementsByTagName('sid')[0].childNodes[0].nodeValue

print 'Splunk URL for graphical report:'
print clientSplunkUrl + '/en-US/app/search/report_builder_display?' + searchId + '&vs=' + clientViewState


This is great. Thanks for the information. It's almost exactly what I am looking for, and I am going to figure out how to adapt it.

0 Karma
Get Updates on the Splunk Community!

The Splunk Success Framework: Your Guide to Successful Splunk Implementations

Splunk Lantern is a customer success center that provides advice from Splunk experts on valuable data ...

Splunk Training for All: Meet Aspiring Cybersecurity Analyst, Marc Alicea

Splunk Education believes in the value of training and certification in today’s rapidly-changing data-driven ...

Investigate Security and Threat Detection with VirusTotal and Splunk Integration

As security threats and their complexities surge, security analysts deal with increased challenges and ...