Dashboards & Visualizations

How to index data from a Form?

BansodeSantosh
Explorer

I have a requirement to collect data from user and insert into Splunk index for further use.
This is like the web page where many questions are asked with answer in the dropdown list. User have to select one of those answers from the list.
Once the user complete the form and click on SUBMIT button data goes to Splunk index.

I am thinking to create an application with dashboard of my requirement but don't know how to insert data in Index.

Do you people have any idea about how to do this. Your help is highly appreciated.
Thanks.

gcusello
SplunkTrust
SplunkTrust

Hi BansodeSantosh,
what appens at SUBMIT: you save data in a DB or in a file?
if you save data in a DB, you can extract these data from the DB using DB-Connect, if instead you save the form in a text file, you can index this file using File inputs.

If you don't want to save it, you could use "HTTP Event Collector" (see http://docs.splunk.com/Documentation/Splunk/6.6.0/Data/UsetheHTTPEventCollector ).

Bye.
Giuseppe

0 Karma

BansodeSantosh
Explorer

Thank you Cusello, I am thinking about to store data in a CSV file and then index it through File Input option.
But I don't know how to submit this data to server where we configured this file input. Do you have any idea?

0 Karma

niketn
Legend

@BansodeSantosh, if you are already writing to CSV and storing it to an application server, then based on the type of Server (like Windows or *Nix) and also the version of your Splunk Enterprise, you would need a Splunk client software called Universal Forwarder to monitor and forward the CSV file from your Application Server to Splunk for indexing and searching. Refer to various Splunk Forwarder Deployment topologies: https://docs.splunk.com/Documentation/Splunk/latest/Forwarding/Forwarderdeploymenttopologies

Ideally, if you are doing this for enterprise your Splunk Administrator should carry out these tasks as there are a lot of considerations based on performance, scaling, security etc. Remember "Splunk is only as fast as its weakest link". If you are creating a POC environment then you can refer to Standalone Splunk Server (Same Sever with Splunk Enterprise serving as Deployment Server, Indexer and Search Head), with Universal Forwarders installed on your Application Servers where you have files/directories to be monitored.

What @cusello is proposing is HTTP Event Collector, which allows you to send data directly from your Application Server to Splunk directly from your code. This will let you index Application data without having to deploy Universal Forwarders on your Application Servers.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

BansodeSantosh
Explorer

Thanks @niketnilay and @cusello. I think Universal forwarder on application server will be an easy option.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi BansodeSantosh,
In one project we acquired events from a form parsing it by a php script.
I'm not an expert of http parsing because this job was done by a colleague.

Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...