Archive
Highlighted

In Splunk, is it possible for users to write and edit a data form (similar to Google/Excel spreadsheet) for later analysis?

Explorer

Hi Experts,

I want to allow users to feed data over Splunk portal like how people feed data on Google online spreadsheet.

Later I will use this data to do analysis.

Is there any option to enable this type of feature in Splunk?

Tags (2)
0 Karma
Highlighted

Re: In Splunk, is it possible for users to write and edit a data form (similar to Google/Excel spreadsheet) for later analysis?

SplunkTrust
SplunkTrust

Splunk is essentially not a data entry tool. Could you provide more details on what (why) you're trying to do in Splunk?

0 Karma
Highlighted

Re: In Splunk, is it possible for users to write and edit a data form (similar to Google/Excel spreadsheet) for later analysis?

Builder

First of all, understand that Splunk's data are immutable. Once the event is in, you cannot change it anymore. It's a WORM (Write Once, Read Many) data repository. So editing data like Google Docs allows you to do is against the Splunk's nature, and I would mark it "impossible" for most intents and purposes.

However, if you want to save user's input as an event, you can do that with a variety of ways. The form you use does not have to be in Splunk - in fact, it will be easier to have it separately somewhere. Then, once the input is complete and the user presses something like "Submit" button, you can form the event - with timestamp and fields, best done in timestamp, name=value format, comma or space separated - and send it over.

So where to "send it over"? On the Splunk side, you can create a TCP or UDP data input which would listen on a port of your choice where you would then send your data. The index, sourcetype and other metadata would be determined by your inputs.conf (the input can be created interactively via Splunk Web). If you want more control on your online form side, take a look into HttpEventCollector - it's a relatively new, but immensely useful feature.

0 Karma
Highlighted

Re: In Splunk, is it possible for users to write and edit a data form (similar to Google/Excel spreadsheet) for later analysis?

Legend

You can try exploring Lookup File Editor App on Splunkbase it is not Splunk Certified or Supported however, the app is supported on Splunk Enteprise version 6.1 through 6.5.

This app will allow you to edit and save CSV as lookup table to Splunk similar to the way Excel is used.




| eval message="Happy Splunking!!!"


0 Karma