Dashboards & Visualizations

How to create a saved search and alert from a SimpleXML JavaScript dashboard?

tfellinger
New Member

I am trying to find a way to create an alert out of a SimpleXML Dashboard with Javascript added.
I can find a lot of examples demonstrating this with the SDK, but I think this is just usable if you connect from the outside to Splunk, isn't it?

As I can see one has to instantiate the splunkjs-service to get methods for creating / saving searches, but how can I do this from a javascript embedded in a dashboard?

http://docs.splunk.com/DocumentationStatic/WebFramework/1.1/
This looks like in SearchManager and SavedSearchManager there a not methods for saving the searches...how can I achieve this? Can someone point me in the right direction?

Thanks!

0 Karma

tfellinger
New Member

Yes, I ditched the jQuery xhr method and used plain JavaScript xmlHttpRequest instead. This way the header is not added and you can interact with the API.

Since there has to be some creds for the API which must be accessible from the JavaScript I think this is not a good and secure solution. Afterwards I thought it would be maybe better to create a custom command for this, because custom commands are receiving an API token on execution. This would solve the "authentication problem" probably more elegantly.

Otherwise I think there are some ways to store creds more securely than just putting them into the JavaScript...just FYI if you want to build something similar. In my case I granted the used API user only as much permissions as needed and additionally I created a dashboard based on audit data to monitor if this is not abused by some attacker with access to splunk.

0 Karma

tfellinger
New Member

Since there is no documented way of adding saved searches / alerts via the web framework, I thought I try to connect to the REST API with jquery from inside the dashboard like:

    var getSessionKey = $.ajax({
        type: "POST",
        url: "http://172.x.x.x:8089/services/auth/login",
        data: "username=xxx&password=xxx",
        crossDomain: true
    }),

I edited the server.conf to allow CORS (crossOriginSharingPolicy = *), but this is also not working. It seems like Splunk is adding the header "x-splunk-form-key" automatically to every request. Since the only allowed header for CORS regarding the REST API is "authorization" this request fails, because of a CORS violation.

I tried to remove the header for my request with things like...

beforeSend: function(xhr){
     xhr.setRequestHeader('x-splunk-form-key', ' ');
},

or

beforeSend: function(xhr){
     xhr.setRequestHeader('x-splunk-form-key', null);
},

, but unfortunately this changes nothing in the request. I also did not find any way to allow additional headers for REST API requests.

Any ideas from anyone?

Thanks!

0 Karma

jralston
Explorer

I know this is old, but curious if you ever figured out a solution to this?

0 Karma