Reporting

Can I extend the GUI to export log events to user's PC?

ben363
Path Finder

I've written a script to export log events. The script currently writes the result to the local disk.

But, most of our users don't have shell accounts.

Is there a way in Splunk for users to export and download the results without having to have access to the Splunk box?

Is it possible add my script as an option to the existing "Export Results" window, or as a different button, or something?

Tags (1)
0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Ah. As a simple workaround you could have your script produce the export in a directory accessible by the Splunk webserver (etc/apps/blah/static for example) and display a link after the export for the user to download from.

martin_mueller
SplunkTrust
SplunkTrust

To make the link more clickable you could produce a file name in the script and use that to specify the drilldown target: http://docs.splunk.com/Documentation/Splunk/6.1.1/Viz/Dynamicdrilldownindashboardsandforms#Form_link...

0 Karma

ben363
Path Finder

cont...

Using the regular export raw format works, as you say, depending on what you want to export. Basically, it has to be close enough to Splunk's usual CSV format, or Splunk gets unhappy: "did not return events in descending time order, as expected".

So marked up .csv could work, but if you wanted a more different file format, say .rtf, no luck.

0 Karma

ben363
Path Finder

Exporting to static works, but displaying the link to it doesn't.

Having created splunk/etc/system/static/tmp/blah.blah, it can be read by pointing a browser at ...:8089/static/tmp/blah.blah.

But it's not obvious how to export that as a link. If the script returns a link, then splunk displays that link, but as text, not as a hyperlink. Clicking on it takes the user back to the original search, it doesn't follow the link.

The user can cut and paste, or if the filename is predictable, the user can be told what to type, which could sort of work, but isn't nice.

...cont

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Depending on what you want to export and how, you might also be able to put the format conversion into a custom search command and use the regular export button's raw events format.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust
0 Karma

ben363
Path Finder

That could work nicely...

0 Karma

ben363
Path Finder

I need to export in a custom format.

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

What's wrong with the standard export button in the regular search UI?

Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...