Add a custom report
The Splunk App for PCI Compliance provides reports for different aspects of your PCI compliance. Each report (or dashboard) in the Splunk App for PCI Compliance has an XML file (for instance
pci_malware_activity.xml) that describes the information used in the report, which notable events provide the data, and how that data is displayed. These reports are included as part of the app.
To add your custom report (
your_report.xml) to the app, you need to add it to the navigation XML file. The menu items in the app are referenced in the navigation XML file. Each app only has one navigation file. To have the new report show up in the correct place in the app navigation (or correct location in the menu bar), the custom report must be referenced in the correct domain section of the navigation XML file. (
$SPLUNK_HOME/etc/apps/SplunkPCIComplianceSuite/local/data/ui/nav/default.xml). You must associate the new report with a domain.
1. To add your custom report to the navigation file, go to Manager > User interface > Navigation menus.
2. Select default next to SplunkPCIComplianceSuite. An editor displays the navigation file for the Splunk App for PCI Compliance.
3. Choose the domain for the new report. This is the location in the
default.xml file where you reference your custom report file (
A report is associated, or categorized, with a domain within the app. In the Splunk App for PCI Compliance, these categories are shown in the Reports tab. The categories are:
- Network Security
- Endpoint Security
- Access Control
- Monitor & Test
Within the navigation file (
default.xml), the categories look like this:
<nav> ... ... <collection label="Reports"> <collection label="Network Security"> <a href='/app/SplunkPCIComplianceSuite/pci_communication_rule_activity?category=pci'>Firewall Rule Activity</a> ... <!--ADD HERE--> ... </collection> <collection label="Endpoint Security"> <a href='/app/SplunkPCIComplianceSuite/pci_malware_activity?category=pci'>Malware Activity</a> ... <!--ADD HERE--> ... </collection> <collection label="Cardholder Data"> ... <!--ADD HERE--> ... </collection> <collection label="Access Control"> <a href='/app/SplunkPCIComplianceSuite/pci_insecure_authentication_attempts?category=pci'>Insecure Authentication Attempts</a> ... <!--ADD HERE--> ... </collection> <collection label="Monitor & Test"> <a href='/app/SplunkPCIComplianceSuite/pci_asset_logging?category=pci'>PCI Asset Logging</a> ... <!--ADD HERE--> ... </collection> </collection> </nav> You can add a report to any of the places in the file indicated with <!--ADD HERE-->.
4. Add the custom report to the
default.xml file and Save the file.
For example, to add your report to Monitor & Test, add the path to the
your_report.xml file and the display name in
default.xml as shown in the following code snippet:
<collection label="Monitor & Test"> <a href='/app/SplunkPCIComplianceSuite/pci_asset_logging?category=pci'>PCI Asset Logging</a> ... <a href='/app/SplunkPCIComplianceSuite/your_report.xml?category=pci'>Your custom report</a> ... </collection>
Note: When you open
default.xml, you are looking at the
default copy of the file. When you save, your changes are saved to a
local version of the file.
5. Restart Splunk Enterprise.
Your new custom report shows up in the Monitor & Test menu in the Splunk App for PCI Compliance. You can also view the new report by going to Configure > Domains / Dashboards.
If you disable the custom report in Domains / Dashboards Navigation editor, you need to manually re-add it to the
See the "Dashboards and Forms" in Dashboards and Visualizations.
Email a report
The Splunk App for PCI Compliance can be configured to email a report, either attaching it as an HTML file or including it inline in the email attachment. Using the "
action.email.html.cssfile" parameter in
savedsearches.conf you can add styling to the HTML document. Sample CSS files for both portrait and landscape mode, with simple pagination, are included in
To enable styled HTML email output of a report:
1. A CSS file must be placed in
namespace" is the name of the application in which the search is run.
2. The "
action.email.html.cssfile" parameter in
savedsearches.conf must be set to the name of the CSS file.
action.email = 1
action.email.html.cssfile = portrait.css
action.email.inline = 0
action.email.format = html
action.email.sendresults = 1
action.email.to = email@example.com
alert.digest_mode = True
alert.suppress = 0
alert.track = 1
cron_schedule = * * * * *
description = test2
dispatch.earliest_time = -1d
enableSched = 1
search = `communicate` | head 100 | table src src_port dest dest_port _time | convert ctime(_time)
Note: Make all changes to the
savedsearches.conf file in
$SPLUNK_HOME/etc/system/local. To make changes, copy the section/stanza you want to change from
../local and edit there.
3. Set the "
action.email.inline" parameter in
savedsearches.conf, which controls whether the HTML is be sent as an attachment (0) or inline (1).
4. Refresh the saved search. Because the
savedsearches.conf file has been edited directly, one final step is required to refresh the saved search. To do this, either:
- Issue a request to the following URL using
wget, or the browser of your choice:
- Restart Splunk Enterprise.
$SPLUNK_HOME/bin/ ./splunk restart
Note: It is not possible to configure this feature using the Splunk Web UI. You must edit the
savedsearches.conf file directly.
Configure Interesting Ports list
Add custom correlation searches
This documentation applies to the following versions of Splunk® App for PCI Compliance: 2.1.1