https://community.splunk.com/t5/Security/Web-form-to-create-events-using-splunk-webserver/m-p/71053#M2344 <P>We are trying to create a web form (filled in by humans) to create events to be digested by Splunk.</P> <P>Now there are a few ways to do this</P> <OL> <LI>Install webserver (apache or iis) and have a php (or .net) script which will process the form and send to splunk via (syslog, tcp or write to monitored file/directory)</LI> <LI>Install webserver and have javascript send results via tcp directly to splunk.</LI> </OL> <P>Now I am wondering if instead is using a webserver would it be possible to piggy back these forms in the splunk web at all?</P> <P>Thoughts?</P> Wed, 26 Sep 2012 05:19:21 GMT phoenixdigital 2012-09-26T05:19:21Z https://community.splunk.com/t5/Security/Web-form-to-create-events-using-splunk-webserver/m-p/71053#M2344 <P>We are trying to create a web form (filled in by humans) to create events to be digested by Splunk.</P> <P>Now there are a few ways to do this</P> <OL> <LI>Install webserver (apache or iis) and have a php (or .net) script which will process the form and send to splunk via (syslog, tcp or write to monitored file/directory)</LI> <LI>Install webserver and have javascript send results via tcp directly to splunk.</LI> </OL> <P>Now I am wondering if instead is using a webserver would it be possible to piggy back these forms in the splunk web at all?</P> <P>Thoughts?</P> Wed, 26 Sep 2012 05:19:21 GMT https://community.splunk.com/t5/Security/Web-form-to-create-events-using-splunk-webserver/m-p/71053#M2344 phoenixdigital 2012-09-26T05:19:21Z https://community.splunk.com/t5/Security/Web-form-to-create-events-using-splunk-webserver/m-p/71054#M2345 <P>Yes, I would take this as definately being possible...</P> <P>You would first need to create your form to handle the right amount of inputs, where you can use typical form features (text input, dropdown lists (you use a lookup file (via <CODE>inputlookup</CODE> command) or search results for this)... Don't worry about the search for now. (<A href="http://docs.splunk.com/Documentation/Splunk/latest/Developer/Step1CreateAForm">Documentation here</A>)</P> <P>Then you will need to create a script (something in python would be ideal), this should be created to handle <CODE>sys.argv[]</CODE> inputs, which will basically be the user's input. You could then have this data formatted to your needs via your script. Have this script write to a file somewhere on the Splunk installation. Once you have set up your script, you will then need to add this to a custom command via the "commmands.conf" file. (<A href="http://docs.splunk.com/Documentation/Splunk/latest/Developer/SearchScripts">Documentation here</A>)</P> <P>Now, back to the form, you will need a search for the form using your custom command. I typically use a search starting with <CODE>|inputlookup</CODE> OR <CODE>|metadata</CODE> as these usually have little search overhead. Then pipe to your custom command. You will then assign the user inputs to the custom command as arguments. For example:</P> <P><CODE>|inputlookup foo | someCommand $arg1$ $arg2$ $arg3$ $arg4$ $arg5$</CODE> etc</P> <P>Then once you have the form writing to the file, have Splunk monitor this file for updates.</P> <P>May not be the best way but I have had some weird requests that this has helped with.</P> <P>Cheers,</P> <P>MHibbin</P> <P>P.S there are probably better methods, but I think this is the easiest to set-up... and why install a web server? Splunk comes packaged with cherryPy as it's webservice.</P> <P>P.P.S. If you set up some output to stdout, you can use the event viewer for a form to show the user some information, like "You are not a real person, try again".</P> Wed, 26 Sep 2012 09:01:37 GMT https://community.splunk.com/t5/Security/Web-form-to-create-events-using-splunk-webserver/m-p/71054#M2345 MHibbin 2012-09-26T09:01:37Z