All Apps and Add-ons

How to create a dashboard with text input fields that will update a lookup file?

EdgarAllenProse
Path Finder

Is there a way to create a dashboard with text input fields that does not do any searching, but rather pushes user input into a new row within a created input file?

Basically what I am trying to accomplish is this:

Lookup File: userLoggedInfo.csv

Dashboard: User Log

Dashboard looks like this:

Event: | Text Box |
Time of Event: | Text Box |
IP in event: | Text Box |
Analysis Notes: | Text Box |

When a user plugs in information I want to add what the user wrote to the lookupfile in a new row.

So before user inputs information, the file would look like this:
|Event|Time of Event|IP in Event|Analysis notes|

After the user hits the submit button in the dashboard, it should update like so and any future submission would be added to the next empty row:

|Event |Time of Event |IP in Event |Analysis notes |
|HD Error | Dec 21 | 192.168.16.1 | HardDrive failed because a rock was thrown at it. Verified|

So what would be a good starting point in learning to make textboxes output non-queried text into a lookup (for later querying) in a submittable form based dashboard?

MuS
Legend

Hi EdgarAllenProse,

given you have a lookup called 478751 which contains the following:

Event,"Time of Event","IP in Event","Analysis notes"

you can use this run everywhere dashboard to see how this can be done:

<form>
  <label>How to create a dashboard with text input fields that will update a lookup file?</label>
  <description>https://answers.splunk.com/answers/478751/how-to-create-a-dashboard-with-text-input-fields-t.html</description>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="field1">
      <label>Event</label>
    </input>
    <input type="text" token="field2">
      <label>Time of Event</label>
    </input>
    <input type="text" token="field3">
      <label>IP in event</label>
    </input>
    <input type="text" token="field4">
      <label>Analysis Notes</label>
    </input>
  </fieldset>
  <row rejects="$field1$">
    <panel>
      <table>
        <search>
          <query>| inputlookup 478751 | table Event "Time of Event" "IP in Event" "Analysis notes"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
  <row depends="$field1$">
    <panel>
      <table>
        <search>
          <query>| inputlookup 478751 | append [ | makeresults | eval Event="$field1$", "Time of Event"="$field2$", "IP in Event"="$field3$", "Analysis notes"="$field4$" | fields - _time ] |  table Event "Time of Event" "IP in Event" "Analysis notes" | outputlookup 478751</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
  </row>
</form>

You can of course change the lookup name to match your file.

Hope this helps ...

cheers, MuS

rapmancz
Explorer

Did you find the solution? It will be also useful for me...

0 Karma
Get Updates on the Splunk Community!

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)

WATCH NOW!The Splunk Guide to Risk-Based Alerting is here to empower your SOC like never before. Join Haylee ...