All Apps and Add-ons

Add button to view to call script

dhorn
Path Finder

Hello all. I am working on a view to display accounts that are locked out in our AD environment, and it also shows the caller, which is the computer that caused the lockout. Basically, I want to add a button on each row that when clicked will call a script to call a remote log off. Creating the script I can handle, but I need help adding the buttons to my view. Here is a pastebin of my view, and also a link to a screenshot of the current results:

pastebin.com/hQ2T54AE

i.imgur.com/d5YPsRs.png

Basically, I want a button beside each result that when pressed will call a script local to my Splunk server and put the value from "Lockout Source" into a variable that I can call in the script. The script will likely be python or VB, since my Splunk server runs on RHEL and will be call remote Windows actions. I have seen some similar things like this done with Sideview Utils, but I haven't been able to figure it out.

Thanks!

sideview
SplunkTrust
SplunkTrust

The solution as I see it has 2 moving parts.

1) a custom controller you'll write in python that sits on Splunkweb so your buttons can hit its URL from the dashboard, and thereby do the stuff you need done.
It looks like there are new docs for custom controllers on the Splunk site. ( http://dev.splunk.com/view/SP-CAAADS2 ), although another promising avenue is to just crack open some existing ones. For example Sideview's view.py controller (etc/apps/sideview_utils/appserver/controllers/view.py) has a very simple "show" endpoint that takes an app and a view and returns the XML for that view. Other pythonic bits like custom search commands and scripted inputs and modular inputs and scripted lookups can be a pain to get right but custom controllers are for whatever reason fairly tame.

basically you'll develop this thing by itself and hit it manually from your browser and get it to where it can take the data the button will give it, and it can do the things it needs to.

2) The UI side is actually pretty easy. It'll look basically like this:

<module name="Table">

  <module name="Button" group="row.fields.actions">
    <param name="allowAutoSubmit">False</param>

    <module name="Redirector">
      <param name="url">/en-US/custom/APP/CONTROLLER/ENDPOINT</param>
      <param name="arg.foo">$click.fields.foo$</param>
      <param name="arg.bar">$click.fields.bar$</param>
    </module>
  </module>
</module>

However you won't get very far with it until you read through the Table documentation. Obviously the APP/CONTROLLER/ENDPOINT has to be replaced so as to match your actual custom controller. foo and bar are assumed to be fields showing up in your Table.

If you don't want them to actually be visible in the Table but they are in the underlying search result rows then you'll want to use the Table module's "hiddenFields" param. etc..

Also "actions" is a field that you will put into your search results, although the values can all be null - we just need something to create the "actions" column for us so we can hijack it.

Anyway, I'm saying too much. The Table docs and examples should do a much better job of telling you everything you need to know. If you need help along the way don't hesitate to post back or contact me through the site.

Don't forget to update to latest Sideview Utils (2.7.1 as of this writing) http://sideviewapps.com/apps/sideview-utils

There are still some people out there using the ancient 1.3.5 version from Splunkbase and nothing that old will have any of the stuff I'm talking about here.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...