Reporting

Dashboard Tokens and PDF Delivery help

mchang_splunk
Splunk Employee
Splunk Employee

I'm utilizing tokens on my dashboard to dynamicly generate date ranges for the header. This involved adding a panel that uses html.

It works fine to run the tokens in the header of the dashboard but the tokens don't run when the dashboard is scheduled to delivery pdf

<div id="custom_header">
<div id="custom_header_title"><h1>weekly report for analyst for week $earliest_time$ through $latest_time$</h1></div>
</div>

when the report is emailed via PDF it actually shows $earliesttime$ through $latesttime$ (ignores running the tokens)... Vs the dashboard that actually runs the tokens and showing the relative dates

I believe this maybe a limitation in splunk looking at the doc but ask for someone confirm? And if there work around?

https://docs.splunk.com/Documentation/Splunk/7.3.3/Alert/EmailNotificationTokens

Labels (1)
0 Karma
1 Solution

mchang_splunk
Splunk Employee
Splunk Employee

This issue is reported as SPL-153629.

Root cause is prior to 7.0.3, Splunk is using different keys to encrypt embedded report urls.
When embedSecret was not set in server.conf, pass4Symmkey is used.
Since 7.0.3, Splunk is using etc/auth/splunk.secret, which caused urls created before 7.0.3 to fail to be decrypted.

Workaround is by cases:

  1. Before upgraded to 7.0.3+, did NOT set or change any pass4SymmKey under [general] or [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    add embedSecret = changeme under [general] in etc/system/local/server.conf and restart Splunk

  2. Before upgraded to 7.0.3+, pass4SymmKey has been set under [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    set embedSecret to the un-encrypted value used for pass4SymmKey under [shclustering] before upgrading to 7.0.3 and restart splunk.

  3. Before upgraded to 7.0.3+, pass4SymmKey has been changed under [general] but NOT under [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    set embedSecret to the un-encrypted value used for pass4SymmKey under [general] before upgrading to 7.0.3 and restart splunk.

View solution in original post

woodcock
Esteemed Legend

The problem that you are having is that recently Splunk has added some settings to control this type of content and defaulted dashboard_html_allow_embeddable_content to false. In order to get it to work, try enabling these settings in web.conf:

dashboard_html_allow_inline_styles = <boolean>
* Whether or not to allow style attributes from inline HTML elements in dashboards.
* If "false", style attributes from inline HTML elements in dashboards will be removed 
  to prevent potential attacks.
* Default: true

dashboard_html_allow_embeddable_content = <boolean>
* Whether or not to allow <embed> and <iframe> HTML elements in dashboards.
* If set to "true", <embed> and <iframe> HTML elements in dashboards will not be removed 
  and can lead to a potential security risk.
* If set to the default value of "false", <embed> and <iframe> HTML elements will be stripped
  from the dashboard HTML.
* Default: false

dashboard_html_wrap_embed = <boolean>
* Whether or not to wrap <embed> HTML elements in dashboards with an <iframe>.
* If set to "false", <embed> HTML elements in dashboards will not be wrapped, leading to
  a potential security risk.
* If set to "true", <embed> HTML elements will be wrapped by an <iframe sandbox> element to help
  mitigate potential security risks.
* Default: true

dashboard_html_allow_iframes = <boolean>
* Whether or not to allow iframes from HTML elements in dashboards.
* If "false", iframes from HTML elements in dashboards will be removed to prevent
  potential attacks.
* Default: true
0 Karma

mchang_splunk
Splunk Employee
Splunk Employee

This issue is reported as SPL-153629.

Root cause is prior to 7.0.3, Splunk is using different keys to encrypt embedded report urls.
When embedSecret was not set in server.conf, pass4Symmkey is used.
Since 7.0.3, Splunk is using etc/auth/splunk.secret, which caused urls created before 7.0.3 to fail to be decrypted.

Workaround is by cases:

  1. Before upgraded to 7.0.3+, did NOT set or change any pass4SymmKey under [general] or [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    add embedSecret = changeme under [general] in etc/system/local/server.conf and restart Splunk

  2. Before upgraded to 7.0.3+, pass4SymmKey has been set under [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    set embedSecret to the un-encrypted value used for pass4SymmKey under [shclustering] before upgrading to 7.0.3 and restart splunk.

  3. Before upgraded to 7.0.3+, pass4SymmKey has been changed under [general] but NOT under [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    set embedSecret to the un-encrypted value used for pass4SymmKey under [general] before upgrading to 7.0.3 and restart splunk.

View solution in original post

niketnilay
Legend

@mchang, you might have to change the URL manually to take out &oid from the query string. Refer to answer below:

https://answers.splunk.com/answers/656629/is-it-common-behavior-to-have-the-embedded-report.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

mchang_splunk
Splunk Employee
Splunk Employee

@niketnilay, thanks.
This was tried but didn't help.

0 Karma