I am making a report containing multiple searches. I'd like all the searches to use the same time range.
The intent is to send a daily PDF of the dashboard. In addition but it is likely that individual users will want to view the dashboard interactively and tweak the time range.
I understand that by adding a time input to the dashboard and referencing the correct tokens in the searches, I can parameterize the time range of the dashboard. But from what I understand scheduled PDF delivery is not supported for dashboards with forms.
Any way to get the best of both worlds?
I'm working on a similar project for conditional PDF delivery of a dashboard. It's pretty ugly but works, here's the workflow
1) Search triggers an alert
2) Alert has script which is triggered on the search head
3) The script stores the search result (from the file system) into a variable inside the script
4) The value selected will determine which PDF file to send and uses relative time to look at the last 15 mins to now
5) The script executes a REST command on the file system to convert the dashboard into a PDF on the file system
6) Send the email to a distro with the PDF attachment
The hardest part is passing the value from the search to the file system. The link below lists arguments which make this possible
Thanks for the suggestion! I didn't know about some of these other tools.
To clarify, is 5) a call to the Splunk REST API ? If yes, can you link to the API doc for it?
I got the idea from this post. It's not well documented but gives you the ability to convert to a PDF on the file system. If this answered helped you, can you accept it/upvote?
Did the answer by @skoelpin solve your question? If yes, please don't forget to resolve the post by clicking "Accept" directly below his answer. If not, please comment with more info to hopefully work towards a final solution.