Can I add columns to past events with a dashboard ...

patterc · ‎03-05-2020

I have a use-case with my organization that would require writing additional columns to events. The users want a dashboard that receives data every day and each row of these records needs an additional column added which can have a drop down menu to choose from.

The problem is that they want to "save" the drop down selections "back to the dashboard" which I haven't seen done in Splunk before. I think it would require a |makeresults command whenever a Submit button is clicked at the bottom of the table in question. Has anyone ever seen or done something like this?

patterc · ‎03-06-2020

We have come up with a drilldown dashboard for the data that writes the 'comment' field to a lookup CSV. The users can pull up their data that they need to work and then click on a row to add a comment. The dashboard will then do a lookup for that data to see the users comment(s) to why the data showing it's results.

anmolpatel · ‎03-05-2020

Quite a long way, though with some HTML and JS it can be done. This is at a high level.

To get started, you would want to explore the KV store to save the updated data.

Also look at NiketNilay's reponse to creating textboxes.
https://answers.splunk.com/answers/682183/how-to-add-a-textbox-as-a-cell-in-a-splunk-table.html

You can effectively replace the textbox with a dropdown with some JS or if you would want to populate it from existing data from an index, you can look at using the search manager
https://dev.splunk.com/enterprise/docs/developapps/webframework/addsearches/howtocreatesearchmngr/

You will then replace the last column for each row with a "Save" button.
The onclick() action for save button would be to update a KV store row column.
https://answers.splunk.com/answers/617305/how-can-i-give-the-to-the-users-to-save-their-sele.html

Once you've all that in place, you will need to update the searches to retrieve data from both the index and the KV store

somesoni2 · ‎03-05-2020

Data in Splunk can't be modified. Could you explain your requirement in more details, probably with some real value examples? When you say "save the dashboard", do you mean save the result show in the dashboard with your dropdown selection so that you can see the saved value later when you reload the dashboard?

patterc · ‎03-05-2020

I'm thinking that writing it to a lookup file and appending it over time. But basically, the users have columns A-G of fields they're interested in. They need to do research for each row of data and then leave a comment (which can be chosen from a drop-down list) in column H on what the status is of the row. Each day the rows change to new data. When the users click submit, it could write results to a lookup file and the lookup file could be used for analytics on each comment.

The part I'm having trouble with is getting a drop-down list in column H

somesoni2 · ‎03-05-2020

The lookup option could work for this purpose though you need to check how big it can grow over time. Larger lookups cause issues as it causes higher size of knowledge bundle.

You're currently showing the data in a table and you want column H to be dropdown (like other .NET or similar application's data grid provides)? I'm not aware of such option, at least there doesn't seem to be an in-built option for it but other splunkers here may know some customization..

Can I add columns to past events with a dashboard and save?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life