- Splunk Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- How to create a saved search and alert from a Simp...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a saved search and alert from a SimpleXML JavaScript dashboard?
I am trying to find a way to create an alert out of a SimpleXML Dashboard with Javascript added.
I can find a lot of examples demonstrating this with the SDK, but I think this is just usable if you connect from the outside to Splunk, isn't it?
As I can see one has to instantiate the splunkjs-service to get methods for creating / saving searches, but how can I do this from a javascript embedded in a dashboard?
http://docs.splunk.com/DocumentationStatic/WebFramework/1.1/
This looks like in SearchManager and SavedSearchManager there a not methods for saving the searches...how can I achieve this? Can someone point me in the right direction?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, I ditched the jQuery xhr method and used plain JavaScript xmlHttpRequest instead. This way the header is not added and you can interact with the API.
Since there has to be some creds for the API which must be accessible from the JavaScript I think this is not a good and secure solution. Afterwards I thought it would be maybe better to create a custom command for this, because custom commands are receiving an API token on execution. This would solve the "authentication problem" probably more elegantly.
Otherwise I think there are some ways to store creds more securely than just putting them into the JavaScript...just FYI if you want to build something similar. In my case I granted the used API user only as much permissions as needed and additionally I created a dashboard based on audit data to monitor if this is not abused by some attacker with access to splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Since there is no documented way of adding saved searches / alerts via the web framework, I thought I try to connect to the REST API with jquery from inside the dashboard like:
var getSessionKey = $.ajax({
type: "POST",
url: "http://172.x.x.x:8089/services/auth/login",
data: "username=xxx&password=xxx",
crossDomain: true
}),
I edited the server.conf to allow CORS (crossOriginSharingPolicy = *), but this is also not working. It seems like Splunk is adding the header "x-splunk-form-key" automatically to every request. Since the only allowed header for CORS regarding the REST API is "authorization" this request fails, because of a CORS violation.
I tried to remove the header for my request with things like...
beforeSend: function(xhr){
xhr.setRequestHeader('x-splunk-form-key', ' ');
},
or
beforeSend: function(xhr){
xhr.setRequestHeader('x-splunk-form-key', null);
},
, but unfortunately this changes nothing in the request. I also did not find any way to allow additional headers for REST API requests.
Any ideas from anyone?
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know this is old, but curious if you ever figured out a solution to this?
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
