Dashboards & Visualizations

How can I add text from a box to a lookup by clicking a button?

MartyJ
Loves-to-Learn

Hi all

I am trying to add a text box and a button to a visualisation as a way a adding a 'commentary' on the chart. For example, if the chart shows something unusual, I'd like to be able to enter a reason in the text box e.g. 'Some figures for this month are missing', then click the button and the current date and that comment from the box would be added to the lookup.

I do currently have a solution of sorts but it's very clunky as it involves setting a token in a text box and then a html button which opens a URL but the URL is actually the search (search?q=%7Cmakresults%0A%7Ceval%20Date%3D...). This results in a new tab being opened and the

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MartyJ ,

it isn't so immediate, I developed a solution with JS and a solution without, this is the solution without:

Obviously you can only modify a field in a lookup and not in an index, and use a KV-Store:

<form version="1.1">
  <label>Manage All Cases</label>
  <fieldset submitButton="false" autoRun="false">
    <input type="radio" token="resetTokens" searchWhenChanged="true">
      <label/>
      <choice value="reset">Reset Inputs</choice>
      <choice value="retain">Retain</choice>
      <default>reset</default>
      <change>
        <condition value="reset">
          <unset token="_key"/>
          <unset token="timestamp"/>
          <unset token="User_Name"/>
          <unset token="Status"/>
          <set token="resetTokens">retain</set>
        </condition>
      </change>
    </input>
  </fieldset>
  <row>
    <panel>
      <input type="dropdown" token="User_Name">
        <label>User Name</label>
        <choice value="*&quot; OR NOT User_Name=&quot;*">All</choice>
        <prefix>User_Name="</prefix>
        <suffix>"</suffix>
        <fieldForLabel>User_Name</fieldForLabel>
        <fieldForValue>User_Name</fieldForValue>
        <search>
          <query>
          | inputlookup open_cases
          | dedup User_Name
          | sort User_Name
          | table User_Name
        </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <default>*" OR NOT User_Name="*</default>
      </input>
      <input type="dropdown" token="Status">
        <label>Status</label>
        <choice value="*">All</choice>
        <prefix>Status="</prefix>
        <suffix>"</suffix>
        <fieldForLabel>Status</fieldForLabel>
        <fieldForValue>Status</fieldForValue>
        <search>
          <query>
          | inputlookup open_cases WHERE Status!="Escalation"
          | dedup Status
          | sort Status
          | table Status
        </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <default>*</default>
      </input>
      <table id="master">
        <title>Total All Cases = $server_count$</title>
        <search>
          <query>
            | inputlookup my_lookup WHERE $User_Name$ $Status$
            | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key 
            | table key Time Status User_Name TimeStamp
          </query>
          <sampleRatio>1</sampleRatio>
          <progress>
            <set token="server_count">$job.resultCount$</set>
          </progress>
          <cancelled>
            <unset token="server_count"/>
          </cancelled>
        </search>
        <option name="count">10</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <fields>["_key","Time","Status","Notes","User_Name"]</fields>
        <drilldown>
          <set token="key">$row.key$</set>
          <set token="timestamp">$row.TimeStamp$</set>
          <set token="alertname">$row.Alert_Name$</set>
          <set token="description">$row.Description$</set>
          <set token="status">$row.Status$</set>
          <set token="notes">$row.Notes$</set>
          <set token="username">$row.User_Name$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Modify Row</title>
      <input type="dropdown" token="status_to_update">
        <label>Status</label>
        <default>$status$</default>
        <search>
          <query/>
        </search>
        <choice value="Closed">Closed</choice>
        <choice value="Work-in-progress">Work-in-progress</choice>
        <choice value="Escalation">Escalation</choice>
        <choice value="Stand-By">Stand-By</choice>
      </input>
      <input type="text" token="notes_to_update">
        <label>Add Notes</label>
        <default>$notes$</default>
      </input>
      <table id="detail" depends="$key$">
        <title>Row to modify</title>
        <search>
          <query>
            | makeresults 1
            | eval key="$key$", TimeStamp="$timestamp$",  Status="$status_to_update$", Notes="$notes_to_update$", Time=strftime($timestamp$,"%d/%m/%Y %H:%M:%S")
| rename username AS User_Name | fields User_Name]
            | table key Time TimeStamp Status Notes User_Name
          </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
<fields>_key,Time,Status,Notes,User_Name</fields>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">row</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
        <drilldown>
          <set token="status_updated">$row.Status$</set>
          <set token="notes_updated">$row.Notes$</set>
          <set token="username_updated">$row.User_Name$</set>
        </drilldown>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <table id="detail2" depends="$status_to_update$">
        <title>Modified Lookup row</title>
        <search>
          <query>
            | inputlookup my_lookup
            | eval 
              Status=if(_key="$key$","$status_updated$",Status),
              Notes=if(_key="$key$","$notes_updated$",Notes),
              User_Name=if(_key="$key$","$username_updated$",User_Name)
            | search _key="$key$"
            | outputlookup open_cases append=true
            | eval key=_key
            | collect addtime=true index=summary_alerts
            | eval Time=strftime(TimeStamp,"%d/%m/%Y %H:%M:%S"), key=_key
            | table key Time TimeStamp Alert_Name Description Status Notes User_Name
            </query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
<fields>_key,Time,Status,Notes,User_Name</fields>
        <option name="count">100</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="rowNumbers">false</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

Don't copy my dashboard but see the approach and adapt it to your real case.

Ciao.

Giuseppe

ITWhisperer
SplunkTrust
SplunkTrust

Try something along these lines:

  1. Have the "button" set a token, e.g. "add_comment"
  2. Have a (hidden) search which is dependent on the token e.g. "| eval _active="$add_comment$"
  3. Update the lookup in the (hidden) search (using the text box token)
  4. In the <done> handler of the search, unset the "add_comment" token

The idea is that the (hidden) search is executed whenever the add_comment token is not null, and it resets the token to null when the search is complete (ready for the next time).

0 Karma

MartyJ
Loves-to-Learn

Hi, sorry for the lack of reply

I'm afraid it didn't work for me, I ended up having to use the button to open a search in a new tab.

Is there actually a way to run a search from a button without displaying the results?

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What sort of button are you using? Do you mean the Submit button? Please provide more details of what you tried and how it failed?

0 Karma

MartyJ
Loves-to-Learn

Hi, basically I had a html button in a panel, next to a text box. When clicked, the button was supposed to run a search which added the text entered in the panel into a lookup. The problem is, the only way to get the button to do this was to use the full URL of the search, opening in a new tab.

When I tried the javascript approach, I was getting messages about running potentially-unsafe scripts but the original method worked so I stuck with that. I just want to know if it's possible to use a html button to run a search, without opening in a new tab. I have tried various ways but haven't had any success.

Thanks

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MartyJ ,

as I described, you can use a text input instead an html, it's easier.

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...