Reporting
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Dashboard Tokens and PDF Delivery help

mchang_splunk
Splunk Employee
Splunk Employee
‎05-16-2018 10:33 PM

I'm utilizing tokens on my dashboard to dynamicly generate date ranges for the header. This involved adding a panel that uses html.

It works fine to run the tokens in the header of the dashboard but the tokens don't run when the dashboard is scheduled to delivery pdf

<div id="custom_header">
<div id="custom_header_title"><h1>weekly report for analyst for week $earliest_time$ through $latest_time$</h1></div>
</div>

when the report is emailed via PDF it actually shows $earliesttime$ through $latesttime$ (ignores running the tokens)... Vs the dashboard that actually runs the tokens and showing the relative dates

I believe this maybe a limitation in splunk looking at the doc but ask for someone confirm? And if there work around?

https://docs.splunk.com/Documentation/Splunk/7.3.3/Alert/EmailNotificationTokens

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎05-16-2018 11:00 PM

This issue is reported as SPL-153629.

Root cause is prior to 7.0.3, Splunk is using different keys to encrypt embedded report urls.
When embedSecret was not set in server.conf, pass4Symmkey is used.
Since 7.0.3, Splunk is using etc/auth/splunk.secret, which caused urls created before 7.0.3 to fail to be decrypted.

Workaround is by cases:

  1. Before upgraded to 7.0.3+, did NOT set or change any pass4SymmKey under [general] or [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    add embedSecret = changeme under [general] in etc/system/local/server.conf and restart Splunk

  2. Before upgraded to 7.0.3+, pass4SymmKey has been set under [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    set embedSecret to the un-encrypted value used for pass4SymmKey under [shclustering] before upgrading to 7.0.3 and restart splunk.

  3. Before upgraded to 7.0.3+, pass4SymmKey has been changed under [general] but NOT under [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    set embedSecret to the un-encrypted value used for pass4SymmKey under [general] before upgrading to 7.0.3 and restart splunk.

View solution in original post

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎05-22-2020 06:07 AM

The problem that you are having is that recently Splunk has added some settings to control this type of content and defaulted dashboard_html_allow_embeddable_content to false. In order to get it to work, try enabling these settings in web.conf:

dashboard_html_allow_inline_styles = <boolean>
* Whether or not to allow style attributes from inline HTML elements in dashboards.
* If "false", style attributes from inline HTML elements in dashboards will be removed 
  to prevent potential attacks.
* Default: true

dashboard_html_allow_embeddable_content = <boolean>
* Whether or not to allow <embed> and <iframe> HTML elements in dashboards.
* If set to "true", <embed> and <iframe> HTML elements in dashboards will not be removed 
  and can lead to a potential security risk.
* If set to the default value of "false", <embed> and <iframe> HTML elements will be stripped
  from the dashboard HTML.
* Default: false

dashboard_html_wrap_embed = <boolean>
* Whether or not to wrap <embed> HTML elements in dashboards with an <iframe>.
* If set to "false", <embed> HTML elements in dashboards will not be wrapped, leading to
  a potential security risk.
* If set to "true", <embed> HTML elements will be wrapped by an <iframe sandbox> element to help
  mitigate potential security risks.
* Default: true

dashboard_html_allow_iframes = <boolean>
* Whether or not to allow iframes from HTML elements in dashboards.
* If "false", iframes from HTML elements in dashboards will be removed to prevent
  potential attacks.
* Default: true
0 Karma
Reply
Solved! Jump to solution
Solution

mchang_splunk
Splunk Employee
Splunk Employee
‎05-16-2018 11:00 PM

This issue is reported as SPL-153629.

Root cause is prior to 7.0.3, Splunk is using different keys to encrypt embedded report urls.
When embedSecret was not set in server.conf, pass4Symmkey is used.
Since 7.0.3, Splunk is using etc/auth/splunk.secret, which caused urls created before 7.0.3 to fail to be decrypted.

Workaround is by cases:

  1. Before upgraded to 7.0.3+, did NOT set or change any pass4SymmKey under [general] or [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    add embedSecret = changeme under [general] in etc/system/local/server.conf and restart Splunk

  2. Before upgraded to 7.0.3+, pass4SymmKey has been set under [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    set embedSecret to the un-encrypted value used for pass4SymmKey under [shclustering] before upgrading to 7.0.3 and restart splunk.

  3. Before upgraded to 7.0.3+, pass4SymmKey has been changed under [general] but NOT under [shclustering] in etc/system/local/server.conf
    workaround:
    In the current version of Splunk (7.0.3 or higher),
    set embedSecret to the un-encrypted value used for pass4SymmKey under [general] before upgrading to 7.0.3 and restart splunk.

Reply
Solved! Jump to solution

niketn
Legend
‎05-16-2018 10:58 PM

@mchang, you might have to change the URL manually to take out &oid from the query string. Refer to answer below:

https://answers.splunk.com/answers/656629/is-it-common-behavior-to-have-the-embedded-report.html

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Solved! Jump to solution

mchang_splunk
Splunk Employee
Splunk Employee
‎05-16-2018 11:03 PM

@niketnilay, thanks.
This was tried but didn't help.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...