Solved: Re: Dashboard that contains all of the input token...

LinghGroove · ‎04-29-2022

Hello,

I'm having troubles creating a dashboard panel that can list values inserted by other users. The panel has an input field where users will put specific ip addressess that mast be added to this "list". The only solution i came up with is a lookup file that will be updated with new rows every time a user adds a value as input. I have tried this query that i saw on https://blog.avotrix.com/how-to-add-new-fields-in-existing-lookup-file/ :

This search adds just one value to the lookup file and when a new input is added it changes the last value inserted. Do you guys have a better solution or maybe an idea to make this query work?

Thanks a lot.

VatsalJagani · ‎04-29-2022

@LinghGroove - Try this search query:

| makeresults | eval IP=$added_ip_token|s$
| inputlookup ip_sospetti.csv append=true
| table IP
| outputlookup ip_sospetti.csv

I hope this helps!! Karma/upvote would be appreciated!!!

View solution in original post

VatsalJagani · ‎04-29-2022

@LinghGroove - Try this search query:

| makeresults | eval IP=$added_ip_token|s$
| inputlookup ip_sospetti.csv append=true
| table IP
| outputlookup ip_sospetti.csv

I hope this helps!! Karma/upvote would be appreciated!!!

LinghGroove · ‎04-30-2022

Hello, thanks a lot for your answer, i really appreciate your help @VatsalJagani. Your solution does indeed work. It adds the input values to the lookup file perfectly. If someone else is interested i have created another query to resolve the problem:

| inputlookup append=true ip_sospetti.csv 
| append 
[| stats count 
| eval IP="$new_ip_token$" 
| table IP] 
| fields - _time 
| outputlookup ip_sospetti.csv

Though i think that VatsalJagani solution is way better. Unfortunatly, both with my solution and with the query of Vatsal Jagani another problem have accured. When I close the dashboard and come back to use to insert a new input all the old values inserted disappear. I really don't now why. This is the dashboard:

<form script="run_action.js">
<label>IP verification</label>
<description>new dashboard with table IP</description>
<fieldset submitButton="false" autoRun="false"></fieldset>
<row>
<panel>
<title>Use the botton to eliminate the contents of the table</title>
<html>
<button class="btn btn-primary button1">Run search!</button>
</html>
</panel>
</row>
<row>
<panel>
<title>IP table</title>
<input type="text" token="new_ip_token" searchWhenChanged="true">
<label>Insert IPs to monitor</label>
<default></default>
</input>
<input type="text" token="remove_ip" searchWhenChanged="true">
<label>Insert IPs to remove</label>
</input>
<table>
<title>IP Table</title>
<search>
<query>| makeresults
| eval IP="$new_ip_token$"
| inputlookup ip_sospetti.csv append=true
| table IP
| outputlookup ip_sospetti.csv</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
<format type="number" field="IP"></format>
</table>
</panel>
</row>

</form>

I thought it is the botton that (even if not used) that erases all the content of the table but it isn't. At this point i don't know how to proced. (i haven't yet started with the IP remove from table functionality).

Again, if someone have a better idea on how to do this i would be so grateful.

Thanks a lot.

VatsalJagani · ‎04-30-2022

@LinghGroove - Is there any reason you cannot use the Lookup editor application (https://splunkbase.splunk.com/app/1724/)?

I don't understand what is not working for you now. I don't see any reason for the search to empty the lookup.

Dashboard that contains all of the input tokens values

other

panel

token

Observability | How to Think About Instrumentation Overhead (White Paper)

Cloud Platform | Get Resiliency in the Cloud Event (Register Now!)

The Great Resilience Quest: 10th Leaderboard Update