Reporting

How to send dashboard as a PDF email if condition is true?

skoelpin
SplunkTrust
SplunkTrust

I have a dashboard which I need to be emailed out as a PDF if a condition is true. I've tried using "Schedule PDF Delivery" but this only gives the option to send the dashboard as a PDF at a certain time.

Here's a basic example of what I'm looking for

| eval Send_PDF_Email=if(Error_Count>75,'Send_Email',"")

Where if the Error_Count field is greater than 75, it will send the dashboard PDF email

0 Karma
1 Solution

skoelpin
SplunkTrust
SplunkTrust

I was able to create a solution to this problem!

First I have an alert with the conditional logic. Here's a very basic test alert

| makeresults 
| eval count=5
| eval ALERT=if(count<6,"ALERT","")
| table ALERT

You should then set the trigger to custom and search ALERT=ALERT and set it to trigger the script

I then created it to run every 1 minute on a cron schedule. I then disabled the alert until it's ready to test

I then created a script which will be triggered by the alert. This script will first generate a PDF of the dashboard using cURL. It will then use mutt to send the PDF from the command line. It will wait 10 seconds, then do some GC on the file system

#!/bin/bash
#This will generate a PDF file of the dashboard. 
#This will be triggered by an alert
curl -u svc_acct:xxxxxx -k 'https://localhost:8089/services/pdfgen/render?input-dashboard=<dashboard_name>&namespace=search&paper-size=a4-landscape' >> /tmp/Report_Name.pdf

# This will email the report
mutt -s "Impact Report" -a /tmp/Impact_Report.pdf < /dev/null -- abc@abc.com

#This will wait 10 seconds before deleting the PDF file 
sleep 10s

#This will remove the PDF file from the file system after its emailed 
rm /tmp/Impact_Report.pdf
rm ~/sent

Then enable the alert and wait 1 minute and the email will appear with the dashboard attachment. You can then disable the alert so you don't get spammed.

View solution in original post

skoelpin
SplunkTrust
SplunkTrust

I was able to create a solution to this problem!

First I have an alert with the conditional logic. Here's a very basic test alert

| makeresults 
| eval count=5
| eval ALERT=if(count<6,"ALERT","")
| table ALERT

You should then set the trigger to custom and search ALERT=ALERT and set it to trigger the script

I then created it to run every 1 minute on a cron schedule. I then disabled the alert until it's ready to test

I then created a script which will be triggered by the alert. This script will first generate a PDF of the dashboard using cURL. It will then use mutt to send the PDF from the command line. It will wait 10 seconds, then do some GC on the file system

#!/bin/bash
#This will generate a PDF file of the dashboard. 
#This will be triggered by an alert
curl -u svc_acct:xxxxxx -k 'https://localhost:8089/services/pdfgen/render?input-dashboard=<dashboard_name>&namespace=search&paper-size=a4-landscape' >> /tmp/Report_Name.pdf

# This will email the report
mutt -s "Impact Report" -a /tmp/Impact_Report.pdf < /dev/null -- abc@abc.com

#This will wait 10 seconds before deleting the PDF file 
sleep 10s

#This will remove the PDF file from the file system after its emailed 
rm /tmp/Impact_Report.pdf
rm ~/sent

Then enable the alert and wait 1 minute and the email will appear with the dashboard attachment. You can then disable the alert so you don't get spammed.

zpadams
New Member

I would consider using a correlation search to achieve this.

From the home page go to Configure > Content Management.
Click "Create New Content" and select "Correlation Search".

Name it however you want, and paste the dashboard search into the "Search" box.
Set your time window you want the search to look through. Set the Cron Schedule to run every X minutes/hours, where X is the length of the time window.
Set your Trigger Condition to be whatever your threshold is.

Go to the bottom and click "+ Add New Response Action" and select "Send email".
Enter your email address and make sure you select "Attach PDF" at the bottom of the gray box.

This will now send an email with the PDF attached containing the search results every X minutes/hours whenever the threshold is breached.

0 Karma

skoelpin
SplunkTrust
SplunkTrust

Is this in reference the Splunk ES?

0 Karma

somesoni2
SplunkTrust
SplunkTrust
0 Karma

skoelpin
SplunkTrust
SplunkTrust

I'm not understanding the PDF part. What does the stanza name represent? Where do I put my dashboard info which will be converted and emailed as a PDF?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

So the PDF alert is basically a regular alert search with alert action as a script. You'd schedule a PDF delivery for your dashboard as usual, but after setting cron and other things, just un-schedule it. The script is basically running the search, without scheduling it.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...