- Find Answers
- :
- Using Splunk
- :
- Dashboards & Visualizations
- :
- Re: dashboard can add value to lookup through subm...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Splunksters,
Noob here. I have a dashboard that can add values (server names) to a lookup so users can easily blacklist servers. The xml below works. However, I need to add a button so the user can remove the server from the blacklist when they are finished. Any thoughts? Thanks!
<form>
<label>Dashboard Blacklist Toggle</label>
<fieldset submitButton="true" autoRun="false">
<input type="text" token="hostname">
<label>Host</label>
</input>
</fieldset>
<row rejects="$field1$">
<panel>
<table>
<search>
<query>| inputlookup alert_blist.csv | table host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
<row depends="$field1$">
<panel>
<table>
<search>
<query>| inputlookup alert_blist.csv | append [ | makeresults | eval host="$hostname$"| fields - _time ] | table host | outputlookup alert_blist.csv</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't need a button, just create a drilldown with SPL like this:
| inputlookup alert_blist.csv
| search NOT $click.name$=$click.value$
| outputlookup alert_blist.csv
Check out the Dashboard Examples app for how to build the drilldown.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You don't need a button, just create a drilldown with SPL like this:
| inputlookup alert_blist.csv
| search NOT $click.name$=$click.value$
| outputlookup alert_blist.csv
Check out the Dashboard Examples app for how to build the drilldown.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again. So, I implemented the click to remove drilldown. However, it seems to delete the entire lookup. Moreover, it redirects to a new page. Is there a way to just add another button? rather than drilldown click?
Dashboard Blacklist Toggle test
<input type="text" token="hostnamet" searchWhenChanged="true">
<label>Host</label>
</input>
<panel>
<table>
<search>
<query>| inputlookup alert_tblist.csv | table host</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">cell</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<link target="_self">search?q=%7C%20inputlookup%20alert_tblist.csv%20%0A%7C%20search%20NOT(host=%22$click.host$%22)%0A%7C%20outputlookup%20alert_tblist.csv&earliest=-24h@h&latest=now</link>
</drilldown>
</table>
</panel>
<panel>
<table>
<search>
<query>| inputlookup alert_tblist.csv | append [ | makeresults | eval host="$hostnamet$"| fields - _time ] | table host | outputlookup alert_tblist.csv</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I made a slight mistake. It should be NOT $click.name$=$click.value$; the answer has been edited and updated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks again for your help! Ok soooo, It technically works. However, clicking the hosts redirects to a new page, that runs the query, but only after you select "run" on a splunk outputlookup warning page as follows:
Warning
The search you are about to run contains commands that might present a security risk. The commands are: outputlookup
Do you want to investigate the search string?|
CANCEL RUN INVESTIGATE
. Its weird, because I use outputlookup frequently in other context (like a dropdown for instance) and it doesn't require me to select run from a warning pop-up...Anybody else seen this. Is there a way to stay on the same page (prevent redirect) after clicking the host the user wants to remove?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, that is annoying; disable it like this:
https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Turning_off_the_warning
Be sure to come back and click Accept to close the question.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's an untested option.
| inputlookup alert_blist.csv | search NOT [ | makeresults | eval host="$hostname$"| fields host ] | table host | outputlookup alert_blist.csv
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. I think I see your logic. However, I can't figure out how to "plug " it in to the xml. Forgive me, I'm stooopid.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
