Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Alert Triggered Action: Dashboard Studio Snapshot

josemanm12
Engager
4 weeks ago

I understand that it is currently possible to schedule the export of a Dashboard Studio dashboard in PDF or PNG format through the View → Actions → Scheduled Export option.
However, this functionality does not include a trigger-based activation option, so the export can only be scheduled at fixed intervals and not triggered by a specific alert condition.

At the moment, I have an alert configured to send an email when the trigger condition is met. However, I would like that email to include a PDF attachment with a snapshot of the Dashboard Studio dashboard.

I have also noticed a new Alert Action called Dashboard Studio Snapshot. However, I have tried searching for information about how it works, but I haven’t found any documentation or available examples.

Screenshot 2025-10-16 at 9.24.14 PM.png

 

Thanks in advance,

Jose 

Labels (1)
Labels
0 Karma
Reply

livehybrid
SplunkTrust
SplunkTrust
3 weeks ago

Hi @josemanm12 

I also wasnt able to find a scrap of documentation about this feature, however I think Ive worked it out based on the script (etc/apps/splunk-dashboard-studio/bin/studio_snapshot.py) that the action runs.

The action triggers a dashboard snapshot for the same ID as the name of the saved search, within the same app with the same owner. 
For example - if you have a Published Dashboard called 'Test Dashboard' (whose id/slug is 'test_dashboard' then you will need to create an alert called 'test_dashboard' with the 'Dashboard Studio Snapshot' action.

When the alert triggers and there is >0 events it will call the action which will trigger a new snapshot of the published dashboard.

🌟 Did this answer help you? If so, please consider:

  • Adding karma to show it was useful
  • Marking it as the solution if it resolved your issue
  • Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Reply

josemanm12
Engager
2 weeks ago

Thanks a lot for the detailed explanation — it was really helpful! 
I reviewed the logs and everything seems to be working correctly now.

Appreciate you sharing the insights about how the studio_snapshot action works.

10-27-2025 08:00:00.716 -0600 INFO sendmodalert [2331900 AlertNotifierWorker-1] - Invoking modular alert action=studio_snapshot for search="_ScheduledView___SnapshotView__prueba_monitoreo_desviacion_trafico" sid="scheduler__splunk__search__RMD56cec69122e67ad7e_at_1761573600_60493" in app="search" owner="splunk" type="saved"

10-27-2025 07:35:02.593 -0600 INFO sendmodalert [2262246 AlertNotifierWorker-0] - action=studio_snapshot - Alert action script completed in duration=2020 ms with exit code=0

One thing I’m not sure about — where is the PDF file actually being saved when the studio_snapshot action runs? I couldn’t find it anywhere in the filesystem.

Regards,

Jose

0 Karma
Reply
Get Updates on the Splunk Community!

What the End of Support for Splunk Add-on Builder Means for You

Hello Splunk Community! We want to share an important update regarding the future of the Splunk Add-on Builder ...

Solve, Learn, Repeat: New Puzzle Channel Now Live

Welcome to the Splunk Puzzle PlaygroundIf you are anything like me, you love to solve problems, and what ...

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...