Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

how to get the data from CSV to Splunk form and get the user input for a new field that needs to appended to CSV ?

aravindp
Explorer
‎02-04-2019 09:12 PM

@the_wolverine @bwooden and Splunkers
You guys were previously disussed about how to get the data from CSV to Splunk form and get the user input for a new field that needs to appended to CSV file. Have you succeded?

Would you please share how you achieved the solution, please share the XML code.

Thanks in advance

Tags (1)
0 Karma
Reply

vishaltaneja070
Motivator
‎02-04-2019 10:56 PM

Hello @aravindp

I have created a Splunk form to add entry as well delete entry from csv. Please check this:



Dashboard to Provide any Suppress Alert info



sourcetype
sourcetype

index=* | stats count by sourcetype
-24h@h
now







  </fieldset>
  <row>
    <panel>
      <title>Delete a Row</title>
      <input type="dropdown" token="row_number_tok" searchWhenChanged="false">
        <label>Row_Number</label>
        <fieldForLabel>Row_Number</fieldForLabel>
        <fieldForValue>Row_Number</fieldForValue>
        <search>
          <query>| inputlookup Alert_Suppress1.csv| streamstats count(sourcetype) as Row_Number</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <refresh>5s</refresh>
        </search>
      </input>
      <input type="checkbox" token="delete_tok" searchWhenChanged="true">
        <label>Delete</label>
        <fieldForLabel>value</fieldForLabel>
        <fieldForValue>value</fieldForValue>
        <search>
          <query>|makeresults |eval value= "Delete"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <delimiter> </delimiter>
      </input>
               <html id="field10">
       <body>
       <a href="/app/search/alert_suppress" style="margin-left:0px">Reset</a>      
       <p /> 
       </body>
   </html>
      <table depends="$show_panel2$">
        <search>
          <done>
            <unset token="show_panel2"></unset>
          </done>
          <query>| inputlookup Alert_Suppress1.csv| streamstats count(sourcetype) as Row_Number  | eval Row_Number2= if($delete_tok|s$="Delete",$row_number_tok$,NULL) | where Row_Number != Row_Number2 | fields - Row_Number, Row_Number2 |  outputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_panel$">
      <title>Suppress Information</title>
      <table>
        <search>
          <query>| inputlookup Alert_Suppress1.csv| append [| makeresults |eval User=admin | eval sourcetype=$sourcetype_tok|s$ | eval START= $start_tok|s$ | eval END= $end_tok|s$  | eval Time=now() | eval Time=strftime(Time, "%d/%m/%Y %T") | eval User = $env:user|s$ |  fields - _time] | outputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <unset token="show_panel"></unset>
          </done>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Suppress Information</title>
      <table>
        <search>
          <query>| inputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>5s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

aravindp
Explorer
‎02-04-2019 11:23 PM

@vishaltaneja07011993 Thanks for your response. I am looking at updating the existing entry either from index or from CSV. Is this possible?

I want user to add values for 2 new fields (example Sarcasm_Category and Product_Category) for the existing rows of the data. Is this Possible?

0 Karma
Reply

vishaltaneja070
Motivator
‎02-04-2019 11:44 PM

@arvinddp

yes updating the value is quite possible. you can create a panel for updating like select row_number which need to updated. And based on that you can update the values of different fields.
Like
| inputlookup Alert_Suppress1.csv | streamstats count(sourcetype) as Row_Number | eval sourcetype=if(Row_Number == 5, $tok_sourcetype|s$ , sourcetype) | outputlookup Alert_Suppress1.csv

Even if you have new fields that is also possible in the same way mentioned above.

0 Karma
Reply

aravindp
Explorer
‎02-05-2019 12:31 AM

@vishaltaneja07011993, would you please share some more light on this topic. I tried to replicate your code and amended it for update, but no luck.

0 Karma
Reply

aravindp
Explorer
‎02-04-2019 09:13 PM

I have also seen your old post https://answers.splunk.com/answers/23051/has-anyone-been-able-to-create-a-form-search-that-updates-a...
but need to know the working code

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...