Getting Data In

Supply Input to Dashboard with REST API

_smp_
Builder

I have an dashboard that takes an email address in a Text input. Is there a way to supply an email address for the input and render the Dashboard using the REST API?

The dashboard is used by a group of internal investigators to gather artifacts for their investigations. Their process right now (obviously) is to log into Splunk, navigate to the dashboard, input an email address, hit the Submit button and export the resulting PDF. This is a small part of a much broader workflow. We'd like to automate this Splunk portion to help streamline their investigation process. So I'm trying to perform the same dashboard operations a person would, but using REST APIs instead.

The PDF export is important because it compiles information from multiple searches into a single artifact, as opposed to creating multiple searches and outputs with the search API.

Tags (1)
0 Karma
1 Solution

efavreau
Motivator

@scottprigge You can use the API to get the data. You can do this in your dashboard and can be possible to get the data from the command line. On the command line, using curl (for example), you could have the investigator update the email address in the query (or series of queries) and hit enter.

However, rendering to a pdf is a problem on the command line. Splunk API export options are atom | csv | json | json_cols | json_rows | raw | xml.
Here's the doc about the export options: https://docs.splunk.com/Documentation/Splunk/Latest/Search/ExportdatausingRESTAPI

If the pdf is a requirement, you would need another step then, to take the output results from the API and convert that into a PDF that is formatted to your needs. Otherwise the pdf output is only possible from the GUI.

###

If this reply helps you, an upvote would be appreciated.

View solution in original post

0 Karma

efavreau
Motivator

@scottprigge You can use the API to get the data. You can do this in your dashboard and can be possible to get the data from the command line. On the command line, using curl (for example), you could have the investigator update the email address in the query (or series of queries) and hit enter.

However, rendering to a pdf is a problem on the command line. Splunk API export options are atom | csv | json | json_cols | json_rows | raw | xml.
Here's the doc about the export options: https://docs.splunk.com/Documentation/Splunk/Latest/Search/ExportdatausingRESTAPI

If the pdf is a requirement, you would need another step then, to take the output results from the API and convert that into a PDF that is formatted to your needs. Otherwise the pdf output is only possible from the GUI.

###

If this reply helps you, an upvote would be appreciated.
0 Karma

_smp_
Builder

Ironically, it seems the PDF download is actually something that we've been able to do. The bigger for our process seems to be how to pass the token value to the dashboard through the REST API, as though a user was entering the input.

0 Karma

efavreau
Motivator

@scottprigge There's some piece I'm missing. How is the PDF being generated? Is that process independent from Splunk? Or is the GUI being used, or some other way to generate the pdf? What is it about the API you think will solve your issue? Is the ability to invoke from the command line, or something else? Or are you looking for a way to invoke the GUI dashboard from an external tool, which could generate hyperlinks with a unique email address per link, which when clicked, would open a web browser to the Dashboard with the email token pre-filled in? From the dashboard they are using the dashboard GUI to generate the pdf.
If so, then in your dashboard, your form's fieldname - (url maybe?), might be passed to the URL like so: http://splunk.example.com?form.url="name@example.com"

###

If this reply helps you, an upvote would be appreciated.

_smp_
Builder

might be passed to the URL like so: http://splunk.example.com?form.url="name@example.com"
I think this is exactly what I am looking to do, sorry for my difficulty articulating. Is your parameter-passing example something you came up with? Or is there documentation for that? I haven't found the documentation yet.

0 Karma

efavreau
Motivator

@scottprigge There's no docs I know of, or could find with a quick search. However, to get you to common frame of reference, if you have the Splunk Dashboard Examples App, then look at the Text Form Input Element example, and note the code and the way the URL behaves.
The xml in the dashboard starts:

<form>
    <label>Text Form Input Element</label>
    <description>Set search terms by populating a form with textbox input.</description>
    <fieldset autoRun="true" submitButton="false">
        <input type="text" token="limit" searchWhenChanged="true">
            <label>Enter an integer N:</label>
            <default>5</default>
        </input>
    </fieldset>

The token limit is reflected in the URL of your browser as:
https://my.splunk/en-US/app/simple_xml_examples/simple_form_text?form.limit=5

If you change the 5 in the URL (your browser's address bar), to a 10, and hit enter, it will load the dashboard as if 10 was entered into the form already.

The only wrinkle with this is the login timeout. The user has to be authenticated in first, and then can keep using the URL, until their login times out.

###

If this reply helps you, an upvote would be appreciated.
0 Karma

_smp_
Builder

Thanks for the reference.

0 Karma

efavreau
Motivator

More details please. Scenario: A user comes to your dashboard, enters their email address, and you want the dashboard to make Splunk API calls for data and render? If so, yes. How does the email address figure into this?

###

If this reply helps you, an upvote would be appreciated.
0 Karma

_smp_
Builder

Thank you for your comment. I have added additional detail to my original post.

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Hey Splunky People! We are excited to share the latest updates in Splunk Enterprise 9.4. In this release we ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...

SignalFlow: What? Why? How?

What is SignalFlow? Splunk Observability Cloud’s analytics engine, SignalFlow, opens up a world of in-depth ...