how to get the data from CSV to Splunk form and ge...

aravindp · ‎02-04-2019

@the_wolverine @bwooden and Splunkers
You guys were previously disussed about how to get the data from CSV to Splunk form and get the user input for a new field that needs to appended to CSV file. Have you succeded?

Would you please share how you achieved the solution, please share the XML code.

Thanks in advance

vishaltaneja070 · ‎02-04-2019

Hello @aravindp

I have created a Splunk form to add entry as well delete entry from csv. Please check this:

Alert_Suppress
Dashboard to Provide any Suppress Alert info

Sourcetype
sourcetype
sourcetype

index=* | stats count by sourcetype
-24h@h
now

Start Time in "DD/MM/YYYY HH:MM:SS" format

End Time in "DD/MM/YYYY HH:MM:SS" format

  </fieldset>
  <row>
    <panel>
      <title>Delete a Row</title>
      <input type="dropdown" token="row_number_tok" searchWhenChanged="false">
        <label>Row_Number</label>
        <fieldForLabel>Row_Number</fieldForLabel>
        <fieldForValue>Row_Number</fieldForValue>
        <search>
          <query>| inputlookup Alert_Suppress1.csv| streamstats count(sourcetype) as Row_Number</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <refresh>5s</refresh>
        </search>
      </input>
      <input type="checkbox" token="delete_tok" searchWhenChanged="true">
        <label>Delete</label>
        <fieldForLabel>value</fieldForLabel>
        <fieldForValue>value</fieldForValue>
        <search>
          <query>|makeresults |eval value= "Delete"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <delimiter> </delimiter>
      </input>
               <html id="field10">
       <body>
       <a href="/app/search/alert_suppress" style="margin-left:0px">Reset</a>      
       <p /> 
       </body>
   </html>
      <table depends="$show_panel2$">
        <search>
          <done>
            <unset token="show_panel2"></unset>
          </done>
          <query>| inputlookup Alert_Suppress1.csv| streamstats count(sourcetype) as Row_Number  | eval Row_Number2= if($delete_tok|s$="Delete",$row_number_tok$,NULL) | where Row_Number != Row_Number2 | fields - Row_Number, Row_Number2 |  outputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_panel$">
      <title>Suppress Information</title>
      <table>
        <search>
          <query>| inputlookup Alert_Suppress1.csv| append [| makeresults |eval User=admin | eval sourcetype=$sourcetype_tok|s$ | eval START= $start_tok|s$ | eval END= $end_tok|s$  | eval Time=now() | eval Time=strftime(Time, "%d/%m/%Y %T") | eval User = $env:user|s$ |  fields - _time] | outputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <unset token="show_panel"></unset>
          </done>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Suppress Information</title>
      <table>
        <search>
          <query>| inputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>5s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>

aravindp · ‎02-04-2019

@vishaltaneja07011993 Thanks for your response. I am looking at updating the existing entry either from index or from CSV. Is this possible?

I want user to add values for 2 new fields (example Sarcasm_Category and Product_Category) for the existing rows of the data. Is this Possible?

vishaltaneja070 · ‎02-04-2019

@arvinddp

yes updating the value is quite possible. you can create a panel for updating like select row_number which need to updated. And based on that you can update the values of different fields.
Like
| inputlookup Alert_Suppress1.csv | streamstats count(sourcetype) as Row_Number | eval sourcetype=if(Row_Number == 5, $tok_sourcetype|s$ , sourcetype) | outputlookup Alert_Suppress1.csv

Even if you have new fields that is also possible in the same way mentioned above.

aravindp · ‎02-05-2019

@vishaltaneja07011993, would you please share some more light on this topic. I tried to replicate your code and amended it for update, but no luck.

aravindp · ‎02-04-2019

I have also seen your old post https://answers.splunk.com/answers/23051/has-anyone-been-able-to-create-a-form-search-that-updates-a...
but need to know the working code

how to get the data from CSV to Splunk form and get the user input for a new field that needs to appended to CSV ?

Splunk Custom Visualizations App End of Life

Introducing Splunk Enterprise 9.2

Adoption of RUM and APM at Splunk