Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get the data from CSV to Splunk form and get the user input for a new field that needs to appended to CSV ?

aravindp
Explorer
‎02-04-2019 09:12 PM

@the_wolverine @bwooden and Splunkers
You guys were previously disussed about how to get the data from CSV to Splunk form and get the user input for a new field that needs to appended to CSV file. Have you succeded?

Would you please share how you achieved the solution, please share the XML code.

Thanks in advance

Tags (1)
0 Karma
Reply

vishaltaneja070
Motivator
‎02-04-2019 10:56 PM

Hello @aravindp

I have created a Splunk form to add entry as well delete entry from csv. Please check this:



Dashboard to Provide any Suppress Alert info



sourcetype
sourcetype

index=* | stats count by sourcetype
-24h@h
now







  </fieldset>
  <row>
    <panel>
      <title>Delete a Row</title>
      <input type="dropdown" token="row_number_tok" searchWhenChanged="false">
        <label>Row_Number</label>
        <fieldForLabel>Row_Number</fieldForLabel>
        <fieldForValue>Row_Number</fieldForValue>
        <search>
          <query>| inputlookup Alert_Suppress1.csv| streamstats count(sourcetype) as Row_Number</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <refresh>5s</refresh>
        </search>
      </input>
      <input type="checkbox" token="delete_tok" searchWhenChanged="true">
        <label>Delete</label>
        <fieldForLabel>value</fieldForLabel>
        <fieldForValue>value</fieldForValue>
        <search>
          <query>|makeresults |eval value= "Delete"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <delimiter> </delimiter>
      </input>
               <html id="field10">
       <body>
       <a href="/app/search/alert_suppress" style="margin-left:0px">Reset</a>      
       <p /> 
       </body>
   </html>
      <table depends="$show_panel2$">
        <search>
          <done>
            <unset token="show_panel2"></unset>
          </done>
          <query>| inputlookup Alert_Suppress1.csv| streamstats count(sourcetype) as Row_Number  | eval Row_Number2= if($delete_tok|s$="Delete",$row_number_tok$,NULL) | where Row_Number != Row_Number2 | fields - Row_Number, Row_Number2 |  outputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_panel$">
      <title>Suppress Information</title>
      <table>
        <search>
          <query>| inputlookup Alert_Suppress1.csv| append [| makeresults |eval User=admin | eval sourcetype=$sourcetype_tok|s$ | eval START= $start_tok|s$ | eval END= $end_tok|s$  | eval Time=now() | eval Time=strftime(Time, "%d/%m/%Y %T") | eval User = $env:user|s$ |  fields - _time] | outputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <unset token="show_panel"></unset>
          </done>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Suppress Information</title>
      <table>
        <search>
          <query>| inputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>5s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

aravindp
Explorer
‎02-04-2019 11:23 PM

@vishaltaneja07011993 Thanks for your response. I am looking at updating the existing entry either from index or from CSV. Is this possible?

I want user to add values for 2 new fields (example Sarcasm_Category and Product_Category) for the existing rows of the data. Is this Possible?

0 Karma
Reply

vishaltaneja070
Motivator
‎02-04-2019 11:44 PM

@arvinddp

yes updating the value is quite possible. you can create a panel for updating like select row_number which need to updated. And based on that you can update the values of different fields.
Like
| inputlookup Alert_Suppress1.csv | streamstats count(sourcetype) as Row_Number | eval sourcetype=if(Row_Number == 5, $tok_sourcetype|s$ , sourcetype) | outputlookup Alert_Suppress1.csv

Even if you have new fields that is also possible in the same way mentioned above.

0 Karma
Reply

aravindp
Explorer
‎02-05-2019 12:31 AM

@vishaltaneja07011993, would you please share some more light on this topic. I tried to replicate your code and amended it for update, but no luck.

0 Karma
Reply

aravindp
Explorer
‎02-04-2019 09:13 PM

I have also seen your old post https://answers.splunk.com/answers/23051/has-anyone-been-able-to-create-a-form-search-that-updates-a...
but need to know the working code

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...