Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Manual Input Form

gabarrygowin
Path Finder
‎03-10-2018 06:36 PM

Hi all,

Well a long night and day of reading about every post on forms and manual input to no avail.

I'm looking for a way to have my ops team input thier daily checks from a Splunk dashboard (vice uploading the form daily from Sharepoint).

Here's my code, but the submit button just doesn't do anything to get selected data into the indexes.

"





<![CDATA[ | inputlookup splunkcheckadmins.csv | fields "AdministratorName" | dedup "AdministratorName" ]]>




<![CDATA[ | inputlookup checkperformed.csv | fields "CheckPerformed" | dedup "CheckPerformed" ]]>



Checktype="
"
Daily
Daily
Weekly
Monthly



Check="
"
Complete, No Issues noted
Complete, No Issues noted
Complete, Issue Identified
Not Completed




Chart of Daily Checks

index=* "Splunk" AND ("Completed" OR "Not Completed") | timechart count
-24h@h
now

column


Table of Events for user="$username$" and $source$

index=_internal user=$username$ $source$ | table _time, user, sourcetype, _raw
-24h@h
now

true
true
none
row
5


"

Thoughts?

Thanks for reading!

Tags (1)
0 Karma
Reply

gabarrygowin
Path Finder
‎03-14-2018 05:34 PM

Update:

Got things mostly working just need help setting current user into a text field (vice current dropbox).

"***

S&I System Checks

<input type="dropdown" token="Administrator">

  <label>Administrator Performing Check:</label>

  <search>

    <query>| inputlookup splunkcheckadmins.csv | fields

`"Administrator" | dedup "Administrator"

  </search>

  <fieldForLabel>Administrator</fieldForLabel>

  <fieldForValue>Administrator</fieldForValue>

  <prefix>Administrator="</prefix>

  <suffix>"</suffix>

</input>

<input type="dropdown" token="CheckPerformed">

  <label>System or Item Checked:</label>

  <search>

    <query>| inputlookup checkperformed.csv | fields

`"CheckPerformed" | dedup "CheckPerformed"

  </search>

  <fieldForLabel>CheckPerformed</fieldForLabel>

  <fieldForValue>CheckPerformed</fieldForValue>

  <prefix>CheckPerformed="</prefix>

  <suffix>"</suffix>

</input>

<input type="radio" token="CheckType">

  <label>Select Checktype:</label>

  <default>Daily</default>

  <choice value="Daily">Daily</choice>

  <choice value="Weekly">Weekly</choice>

  <choice value="Monthly">Monthly</choice>

  <prefix>CheckType="</prefix>

  <suffix>"</suffix>

</input>

<input type="radio" token="CheckStatus">

  <label>Check Status:</label>

  <default>Complete, No Issues noted</default>

  <choice value="Complete, No Issues noted">Complete, No Issues

``noted

<choice value="Complete, Issue Identified and being

`worked">Complete, Issue Identified

  <choice value="Not Completed">Not Completed</choice>

  <prefix>CheckStatus="</prefix>

  <suffix>"</suffix>

</input>





<panel>

  <table>

    <search>

      <query>|makeresults |eval _time=now() | eval $Administrator$ |eval $CheckPerformed$  | eval $CheckType$ | eval $CheckStatus$ | table _time, Administrator, CheckPerformed, CheckType, CheckStatus | outputlookup append=true GenAtomicsCheck.csv</query>

      <earliest>$earliest$</earliest>

      <latest>$latest$</latest>

    </search>

    <option name="count">10</option>

    <option name="refresh.display">progressbar</option>

  </table>

</panel>





<panel>

  <table>

    <search>

      <query>| inputlookup GenAtomicsCheck.csv | stats count by _time, Administrator, CheckPerformed, CheckStatus, CheckType | sort - _time | fields - count</query>

      <earliest>@d</earliest>

      <latest>now</latest>

      <refresh>1m</refresh>

      <refreshType>delay</refreshType>

    </search>

    <option name="count">20</option>

    <option name="refresh.display">none</option>

  </table>

</panel>

<panel>

  <single>

    <search>

      <query>| inputlookup GenAtomicsCheck.csv | chart count as CheckPerformed</query>

      <earliest>@d</earliest>

      <latest>now</latest>

      <refresh>1m</refresh>

      <refreshType>delay</refreshType>

    </search>

    <option name="colorMode">block</option>

    <option name="rangeColors">

`["0xd93f3c","0xf7bc38","0x65a637"]

    <option name="rangeValues">[2,19]</option>

    <option name="refresh.display">none</option>

    <option name="useColors">1</option>

    <option name="useThousandSeparators">1</option>

  </single>

</panel>

***"

0 Karma
Reply

tiagofbmm
Influencer
‎03-21-2018 09:56 AM

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Reply

gabarrygowin
Path Finder
‎03-12-2018 04:19 AM

Hi!

Thanks for the response, had to step away from this for a day.

How's this? Yes, trying to provide a simple form that people use to select a couple items and submit the selected data to Splunk. Not really concerned which index.

S&I System Checks

<input type="dropdown" token="AdministratorName">

  <label>Administrator Performing Check:</label>

  <search>

    <query>| inputlookup splunkcheckadmins.csv | fields "AdministratorName" | dedup "AdministratorName"</query>
  </search>

  <fieldForLabel>AdministratorName</fieldForLabel>

  <fieldForValue>AdministratorName</fieldForValue>

</input>

<input type="dropdown" token="CheckPerformed">

  <label>System or Item Checked:</label>

  <search>

    <query>| inputlookup checkperformed.csv | fields "CheckPerformed" | dedup "CheckPerformed"</query>

  </search>

  <fieldForLabel>CheckPerformed</fieldForLabel>

  <fieldForValue>CheckPerformed</fieldForValue>

</input>

<input type="radio">

  <label>Select Checktype:</label>

  <prefix>Checktype="</prefix>

  <suffix>"</suffix>

  <default>Daily</default>

  <choice value="Daily">Daily</choice>

  <choice value="Weekly">Weekly</choice>

  <choice value="Monthly">Monthly</choice>

</input>

<input type="radio">

  <label>Check Status:</label>

  <prefix>Check="</prefix>

  <suffix>"</suffix>

  <default>Complete, No Issues noted</default>

  <choice value="Complete, No Issues noted">Complete, No Issues noted</choice>

  <choice value="Complete, Issue Identified and being worked">Complete, Issue Identified</choice>

  <choice value="Not Completed">Not Completed</choice>

</input>
0 Karma
Reply

tiagofbmm
Influencer
‎03-11-2018 03:08 AM

Hi

Help me understand. Do you want to create a dashboard that has table where people fill some things in it and then collect that data into a specific index?

Could you clean up the way you show your code so it is understandable what is going on where?

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...