Dashboards & Visualizations

dashboard can add value to lookup through submit button.,,,Need a button to remove from lookup (so users can blacklist and whitelist servers)

spluzer
Communicator

Hey Splunksters,

Noob here. I have a dashboard that can add values (server names) to a lookup so users can easily blacklist servers. The xml below works. However, I need to add a button so the user can remove the server from the blacklist when they are finished. Any thoughts? Thanks!

<form>
  <label>Dashboard Blacklist Toggle</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="hostname">
      <label>Host</label>
    </input>
  </fieldset>
  <row rejects="$field1$">
    <panel>
      <table>
        <search>
          <query>| inputlookup alert_blist.csv | table host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row depends="$field1$">
    <panel>
      <table>
        <search>
          <query>| inputlookup alert_blist.csv | append [ | makeresults | eval host="$hostname$"| fields - _time ] |  table host  | outputlookup alert_blist.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

You don't need a button, just create a drilldown with SPL like this:

| inputlookup alert_blist.csv
| search NOT $click.name$=$click.value$
| outputlookup alert_blist.csv

Check out the Dashboard Examples app for how to build the drilldown.

View solution in original post

woodcock
Esteemed Legend

You don't need a button, just create a drilldown with SPL like this:

| inputlookup alert_blist.csv
| search NOT $click.name$=$click.value$
| outputlookup alert_blist.csv

Check out the Dashboard Examples app for how to build the drilldown.

View solution in original post

spluzer
Communicator

Thanks again. So, I implemented the click to remove drilldown. However, it seems to delete the entire lookup. Moreover, it redirects to a new page. Is there a way to just add another button? rather than drilldown click?

Dashboard Blacklist Toggle test

<input type="text" token="hostnamet" searchWhenChanged="true">
  <label>Host</label>
</input>


<panel>
  <table>
    <search>
      <query>| inputlookup alert_tblist.csv | table host</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
    <option name="drilldown">cell</option>
     <option name="refresh.display">progressbar</option>
    <drilldown>
      <link target="_self">search?q=%7C%20inputlookup%20alert_tblist.csv%20%0A%7C%20search%20NOT(host=%22$click.host$%22)%0A%7C%20outputlookup%20alert_tblist.csv&amp;earliest=-24h@h&amp;latest=now</link>
    </drilldown>
  </table>
</panel>


<panel>
  <table>
    <search>
      <query>| inputlookup alert_tblist.csv | append [ | makeresults | eval host="$hostnamet$"| fields - _time ] |  table host  | outputlookup alert_tblist.csv</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
    <option name="drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>
0 Karma

woodcock
Esteemed Legend

I made a slight mistake. It should be NOT $click.name$=$click.value$; the answer has been edited and updated.

0 Karma

spluzer
Communicator

Thanks again for your help! Ok soooo, It technically works. However, clicking the hosts redirects to a new page, that runs the query, but only after you select "run" on a splunk outputlookup warning page as follows:

Warning

The search you are about to run contains commands that might present a security risk. The commands are: outputlookup

Do you want to investigate the search string?|

CANCEL RUN INVESTIGATE

. Its weird, because I use outputlookup frequently in other context (like a dropdown for instance) and it doesn't require me to select run from a warning pop-up...Anybody else seen this. Is there a way to stay on the same page (prevent redirect) after clicking the host the user wants to remove?

0 Karma

woodcock
Esteemed Legend

Yes, that is annoying; disable it like this:
https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Turning_off_the_warning

Be sure to come back and click Accept to close the question.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here's an untested option.

| inputlookup alert_blist.csv | search NOT [ | makeresults | eval host="$hostname$"| fields host ] |  table host  | outputlookup alert_blist.csv
---
If this reply helps you, an upvote would be appreciated.
0 Karma

spluzer
Communicator

Thanks. I think I see your logic. However, I can't figure out how to "plug " it in to the xml. Forgive me, I'm stooopid.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!