Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to make an app that can save information to an index that is input by a user?

fd26645
Path Finder
‎04-26-2015 03:53 AM

I made a dashboard that reports on backup success/failure.

Users are requesting the ability to add comments to the results or add a checkbox or something that indicates if a failure has been resolved.

To the best of my knowledge Splunk doesn't have the ability to write to the index after the fact. The data always stays in its original format once it has been indexed. So I need some suggestions on how to go about doing this. I would have to link the results of a search to an external database of some kind. I was thinking if I could somehow cause the dashboard interface to generate events that I would collect in another index and then correlate that to the original search results, that might work.

Any suggestions?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎04-26-2015 04:46 AM

yes it is possible. With the collect command, you can ubdate your index.
Let suppose that you have an index called myindex which has certain events, with two fields ( field1, field2). And then you want your users to update myindex (add new events), with a custom field. Let say comments field. Here you go:

  1. You have a text box where a user can enter a comment.

  2. After a user entered his comment, you can update myindex by simply execute a query like this:

    index=myindex ....... |eval comments="$your_textbox_token$"|table field1 field2 comments|collect index=myindex marker="report=\"report1\"
    myindex will now has new events, with users comments, and you could be able to report on it.
    eg: index=myindex report="report1"|table field1 field2 comments

Thanks!
Stephane

SGF

View solution in original post

Reply
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎04-26-2015 04:46 AM

yes it is possible. With the collect command, you can ubdate your index.
Let suppose that you have an index called myindex which has certain events, with two fields ( field1, field2). And then you want your users to update myindex (add new events), with a custom field. Let say comments field. Here you go:

  1. You have a text box where a user can enter a comment.

  2. After a user entered his comment, you can update myindex by simply execute a query like this:

    index=myindex ....... |eval comments="$your_textbox_token$"|table field1 field2 comments|collect index=myindex marker="report=\"report1\"
    myindex will now has new events, with users comments, and you could be able to report on it.
    eg: index=myindex report="report1"|table field1 field2 comments

Thanks!
Stephane

SGF
Reply
Solved! Jump to solution

fd26645
Path Finder
‎04-26-2015 04:54 AM

That is great! Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Search APIを使えば調査過程が残せます

   このゲストブログは、JCOM株式会社の情報セキュリティ本部・専任部長である渡辺慎太郎氏によって執筆されました。 Note: This article is published in both Japanese ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...