Dashboards & Visualizations

Render Dashboard to PDF with time range - REST API

Ethil
Path Finder

Hello everyone, and thanks in advance for your help. I'm very new to this subject so if anything is unclear, i'll try to explain my problem more in details.

I'm using spunk 9.2.1, and i'm trying to generate a PDF from one of my dashboard on the last 24 hours, using a splunk API call.

I'm using a POST request to the ".../services/pdfgen/render" endpoint. First I couldn't find any documentation on  this matter. Furthermore, even when looking at $SPLUNK_HOME/lib/python3.7/sites-packages/splunk/pdf/pdfgen_*.py  (endpoint,views,search,utils) i could'nt really understand what arguments to use to ask for the last 24 hours data. I know it should be possible because it is doable on the splunk GUI, where you can choose a time range and render according to it. 

I saw something looking like time range args : et and lt, which should be earliest time and latest time, but i don't know what type of time data it is expecting an trying random things didn't get me anywhere.

If you know anything on this subject please help me 🙂

thank you

Labels (2)
0 Karma
1 Solution

tscroggins
Influencer

Hi @Ethil,

To include time values from form inputs, SplunkWeb sends a rendered version of the dashboard XML to the pdfgen service.

For example, given the Simple XML source:

<form version="1.1" theme="light">
  <label>my_dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="time_tok">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| addinfo</query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

View the dashboard in SplunkWeb and change the time range to Earliest: -1h@h and Latest: @h.

When you export the dashboard to PDF, SplunkWeb renders the following static dashboard:

<dashboard>
  <label>my_dashboard</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| addinfo</query>
          <earliest>-1h@h</earliest>
          <latest>@h</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

Note that the form element is now a dashboard element, the fieldset element has been removed, and the time_tok.earliest and time_tok.latest token values have been propagated to the search earliest and latest elements.

The dashboard is then XML-encoded:

&lt;dashboard&gt;
  &lt;label&gt;my_dashboard&lt;/label&gt;
  &lt;row&gt;
    &lt;panel&gt;
      &lt;table&gt;
        &lt;search&gt;
          &lt;query&gt;| makeresults
| addinfo&lt;/query&gt;
          &lt;earliest&gt;-1h@h&lt;/earliest&gt;
          &lt;latest&gt;@h&lt;/latest&gt;
        &lt;/search&gt;
        &lt;option name="drilldown"&gt;none&lt;/option&gt;
        &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt;
      &lt;/table&gt;
    &lt;/panel&gt;
  &lt;/row&gt;
&lt;/dashboard&gt;

Finally, the result is sent to the pdfgen service using the URL-encoded input-dashboard-xml parameter, illustrated here using curl over the management port (SplunkWeb uses a SplunkWeb endpoint) with line breaks removed:

curl -k -u admin -o my_dashboard_last_hour.pdf https://localhost:8089/services/pdfgen/render --data-urlencode 'input-dashboard-xml=&lt;dashboard&gt;&lt;label&gt;my_dashboard&lt;/label&gt;&lt;row&gt;&lt;panel&gt;&lt;table&gt;&lt;search&gt;&lt;query&gt;| makeresults | addinfo&lt;/query&gt;&lt;earliest&gt;-1h@h&lt;/earliest&gt;&lt;latest&gt;@h&lt;/latest&gt;&lt;/search&gt;&lt;option name="drilldown"&gt;none&lt;/option&gt;&lt;option name="refresh.display"&gt;progressbar&lt;/option&gt;&lt;/table&gt;&lt;/panel&gt;&lt;/row&gt;&lt;/dashboard&gt;'

You can pass any static Simple XML to the pdfgen service; it doesn't need to be associated with a saved dashboard:

curl -k -u admin -o hello.pdf https://localhost:8089/services/pdfgen/render --data-urlencode 'input-dashboard-xml=&lt;dashboard&gt;&lt;label&gt;Hello, World!&lt;/label&gt;&lt;/dashboard&gt;'

 

View solution in original post

tscroggins
Influencer

Hi @Ethil,

As far as I can tell, the et and lt query parameters are only used with input-search and not input-dashboard etc.

Ethil
Path Finder

Hi @tscroggins , 

Thanks for your reply, then do you perhaps know if they're any time-range args that work with input-dashboard ? Otherwise, should i use another method ?

0 Karma

tscroggins
Influencer

Hi @Ethil,

To include time values from form inputs, SplunkWeb sends a rendered version of the dashboard XML to the pdfgen service.

For example, given the Simple XML source:

<form version="1.1" theme="light">
  <label>my_dashboard</label>
  <fieldset submitButton="false">
    <input type="time" token="time_tok">
      <label></label>
      <default>
        <earliest>-24h@h</earliest>
        <latest>now</latest>
      </default>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| addinfo</query>
          <earliest>$time_tok.earliest$</earliest>
          <latest>$time_tok.latest$</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>

View the dashboard in SplunkWeb and change the time range to Earliest: -1h@h and Latest: @h.

When you export the dashboard to PDF, SplunkWeb renders the following static dashboard:

<dashboard>
  <label>my_dashboard</label>
  <row>
    <panel>
      <table>
        <search>
          <query>| makeresults
| addinfo</query>
          <earliest>-1h@h</earliest>
          <latest>@h</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</dashboard>

Note that the form element is now a dashboard element, the fieldset element has been removed, and the time_tok.earliest and time_tok.latest token values have been propagated to the search earliest and latest elements.

The dashboard is then XML-encoded:

&lt;dashboard&gt;
  &lt;label&gt;my_dashboard&lt;/label&gt;
  &lt;row&gt;
    &lt;panel&gt;
      &lt;table&gt;
        &lt;search&gt;
          &lt;query&gt;| makeresults
| addinfo&lt;/query&gt;
          &lt;earliest&gt;-1h@h&lt;/earliest&gt;
          &lt;latest&gt;@h&lt;/latest&gt;
        &lt;/search&gt;
        &lt;option name="drilldown"&gt;none&lt;/option&gt;
        &lt;option name="refresh.display"&gt;progressbar&lt;/option&gt;
      &lt;/table&gt;
    &lt;/panel&gt;
  &lt;/row&gt;
&lt;/dashboard&gt;

Finally, the result is sent to the pdfgen service using the URL-encoded input-dashboard-xml parameter, illustrated here using curl over the management port (SplunkWeb uses a SplunkWeb endpoint) with line breaks removed:

curl -k -u admin -o my_dashboard_last_hour.pdf https://localhost:8089/services/pdfgen/render --data-urlencode 'input-dashboard-xml=&lt;dashboard&gt;&lt;label&gt;my_dashboard&lt;/label&gt;&lt;row&gt;&lt;panel&gt;&lt;table&gt;&lt;search&gt;&lt;query&gt;| makeresults | addinfo&lt;/query&gt;&lt;earliest&gt;-1h@h&lt;/earliest&gt;&lt;latest&gt;@h&lt;/latest&gt;&lt;/search&gt;&lt;option name="drilldown"&gt;none&lt;/option&gt;&lt;option name="refresh.display"&gt;progressbar&lt;/option&gt;&lt;/table&gt;&lt;/panel&gt;&lt;/row&gt;&lt;/dashboard&gt;'

You can pass any static Simple XML to the pdfgen service; it doesn't need to be associated with a saved dashboard:

curl -k -u admin -o hello.pdf https://localhost:8089/services/pdfgen/render --data-urlencode 'input-dashboard-xml=&lt;dashboard&gt;&lt;label&gt;Hello, World!&lt;/label&gt;&lt;/dashboard&gt;'

 

Ethil
Path Finder

Thanks a lot for your help !

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...