Dashboards & Visualizations

Delete rows from dashboard

Saikat001
Explorer

Lets say, i have a dashboard that fetches data from a csv and displays it in table format. i want to delete a particular entry from the table using the dashboard and not by manually opening the csv and deleting the entry. how to achieve this ?

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Here is a dashboard (without python/javascript/etc.) that allow you to add and remove rows from a csv - it uses only one field which is assumed to be unique (at least as far as deletes are concerned) that is all events with the key equal to the delete value will be removed. This obviously would need modifying for your use case, but could be used as a starting point.

<form>
  <label>csv editor</label>
  <fieldset submitButton="false">
    <input type="text" token="addvalue" searchWhenChanged="true">
      <label>Key to add</label>
      <change>
        <eval token="add">$value$</eval>
      </change>
    </input>
    <input type="text" token="delvalue" searchWhenChanged="true">
      <label>Key to delete</label>
      <change>
        <eval token="delete">$value$</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| inputlookup store.csv
          | eval dummy=$time$
          | table key
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$alwayshide$">
      <table>
        <search>
          <query>| makeresults
          | eval key="$add$"
          | table key
          | outputlookup store.csv append=t
          </query>
          <done>
            <eval token="time">now()</eval>
          </done>
        </search>
      </table>
    </panel>
    <panel depends="$alwayshide$">
      <table>
        <search>
          <query>| inputlookup store.csv
          | where key!="$delete$"
          | table key
          | outputlookup store.csv append=f
          </query>
          <done>
            <eval token="time">now()</eval>
          </done>
        </search>
      </table>
    </panel>
  </row>
</form>

 

View solution in original post

rupkumar4sec
Path Finder

Looks like we have solution for this in another Splunk answer. Check below link once. 

https://community.splunk.com/t5/Splunk-Search/I-want-to-modify-Lookup-file-directly-through-the-dash... 

You may need to play with python little bit.

richgalloway
SplunkTrust
SplunkTrust

Use the Lookup Editor app.  Or add some JavaScript code to the dashboard that accepts user input and sets a field in the row(s) to be deleted.  The dashboard then needs to re-write the CSV, omitting the marked row(s).

---
If this reply helps you, Karma would be appreciated.

ITWhisperer
SplunkTrust
SplunkTrust

outputlookup can be used to rewrite the csv file, so create a search that has all but the deleted event in and save that

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Here is a dashboard (without python/javascript/etc.) that allow you to add and remove rows from a csv - it uses only one field which is assumed to be unique (at least as far as deletes are concerned) that is all events with the key equal to the delete value will be removed. This obviously would need modifying for your use case, but could be used as a starting point.

<form>
  <label>csv editor</label>
  <fieldset submitButton="false">
    <input type="text" token="addvalue" searchWhenChanged="true">
      <label>Key to add</label>
      <change>
        <eval token="add">$value$</eval>
      </change>
    </input>
    <input type="text" token="delvalue" searchWhenChanged="true">
      <label>Key to delete</label>
      <change>
        <eval token="delete">$value$</eval>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <table>
        <search>
          <query>| inputlookup store.csv
          | eval dummy=$time$
          | table key
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
      </table>
    </panel>
    <panel depends="$alwayshide$">
      <table>
        <search>
          <query>| makeresults
          | eval key="$add$"
          | table key
          | outputlookup store.csv append=t
          </query>
          <done>
            <eval token="time">now()</eval>
          </done>
        </search>
      </table>
    </panel>
    <panel depends="$alwayshide$">
      <table>
        <search>
          <query>| inputlookup store.csv
          | where key!="$delete$"
          | table key
          | outputlookup store.csv append=f
          </query>
          <done>
            <eval token="time">now()</eval>
          </done>
        </search>
      </table>
    </panel>
  </row>
</form>

 

Saikat001
Explorer

This works definitely . Thank you very much .  😁😎

Though one thing to highlight, this would work good for small to medium size csv's. For larger csv's, to delete one Field, the whole csv gets re-written which might face some issues.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

I should have added that because the key to be deleted is based on a token being set, this could be done through a drill down on the table being viewed, although you still might want to have an "are you sure" step e.g. display the key in another panel or input and click / drilldown from there to send the key for deletion.

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...