- Splunk Answers
- :
- Using Splunk
- :
- Splunk Dev
- :
- Splunk API PDF Generation
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk API PDF Generation
I am using splunk 8.2.12 and am trying to generate a pdf via an existing alert action using splunk api calls. The action was originally developed for automated ticketing within another app when a splunk alert is triggered. The end goal is to be able to upload the pdf of search results based on the alert to the ticket in an automated way. below is the current state of the code:
def create_pdf_for_ticket(payload, output_file):
# Extract relevant information from the payload
ticket_id = payload.get('sid')
index = payload.get('result', {}).get('index')
sourcetype = payload.get('result', {}).get('sourcetype')
# Construct the search query based on the extracted information
search_query = f'search index={index} sourcetype={sourcetype} sid={ticket_id}'
# Make the API request to execute the search and get the results
search_payload = {
'search': search_query,
'output_mode': 'json',
}
search_response = requests.get('http://localhost:8089/services/search/jobs/export', params=search_payload, headers=post_headers)
# Check if the search request was successful
if search_response.status_code == 200:
# Save the search results to a file
with open(output_file, 'wb') as pdf_file:
pdf_file.write(search_response.content)
print(f"PDF created successfully at: {output_file}")
else:
print(f"Error creating PDF: {search_response.status_code} - {search_response.text}")
def main():
*****
# Create PDF for the ticket
output_file = os.environ['SPLUNK_HOME'] + '/etc/apps/Splunk_Ivanti/local/ticket.pdf'
create_pdf_for_ticket(payload, output_file)
*****
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say, "upload the pdf of search results based on the alert to the ticket in an automated way" are you wanting to take the PDF that the code creates (the file /etc/apps/Splunk_Ivanti/local/ticket.pdf) and post it to some other endpoint?
If the answer is yes, then you'd need to write the python to do that send. If you want an example how this is done, take a look at the %SPLUNK_HOME%/etc/apps/alert_webhook/bin/webhook.py. That's the code behind the Webhook Alert Action and it does a fairly simple send of data to a URL.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
JP I already have a connection to the other app in another part of my python you aren't seeing- this is a *new feature* on a app that I had previously built.
I guess the real question is - is there a way to
1) call Splunk's built in PDF GEN with a SID from an alert action or
2) run a report based on info from an alert action
3) some other method I'm just not thinking of
I do have a new working version that uses fpdf to create a pdf based on the xml output of the jobs/{SID}/results API call so if there is no other way I may just have to bite the bullet on that.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know off the top of my head if you can get to the PDF generation functionality from within Python - I've never tried in python and I haven't been able to find any documentation within Splunk's documentation if they officially expose those calls in their Python SDK. The PDF stuff in Splunk is based off of ReportLab, and lives in %SPLUNK_HOME%\Python-3.7\Lib\site-packages\reportlab, so you can poke aroundthere a bit to see if that helps. I wasn't finding anything obvious of Splunk-written python calling the ReportLab stuff to generate a PDF, your luck might be better.
You can get a PDF generated from a REST endpoint - but do keep in mind that the overall PDF generation in Splunk is dashboard-centric, not search-centric. So you will need to create a Dashboard that renders the results for your SID, and then have that be generated as a PDF. Here are a few posts of people generating the PDF via a REST call which you can do from the CLI, within Python, etc. Once you have those bytes you can send those on to where you need:
Solved: Re: Generate PDF from View in REST API - Splunk Community
Trigger a PDF via the command line - Splunk Community
Historically the built-in PDF generation of Splunk has left something to be desired. It's just been OK...There are some apps on Splunkbase that help with various PDF things you could look into as well:
PDF Apps: https://splunkbase.splunk.com/apps?keyword=pdf
Join Us for Splunk University and Get Your Bootcamp Game On!
.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!
Announcing Scheduled Export GA for Dashboard Studio
