Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

how to get the data from CSV to Splunk form and get the user input for a new field that needs to appended to CSV ?

aravindp
Explorer
‎02-04-2019 09:12 PM

@the_wolverine @bwooden and Splunkers
You guys were previously disussed about how to get the data from CSV to Splunk form and get the user input for a new field that needs to appended to CSV file. Have you succeded?

Would you please share how you achieved the solution, please share the XML code.

Thanks in advance

Tags (1)
0 Karma
Reply

vishaltaneja070
Motivator
‎02-04-2019 10:56 PM

Hello @aravindp

I have created a Splunk form to add entry as well delete entry from csv. Please check this:



Dashboard to Provide any Suppress Alert info



sourcetype
sourcetype

index=* | stats count by sourcetype
-24h@h
now







  </fieldset>
  <row>
    <panel>
      <title>Delete a Row</title>
      <input type="dropdown" token="row_number_tok" searchWhenChanged="false">
        <label>Row_Number</label>
        <fieldForLabel>Row_Number</fieldForLabel>
        <fieldForValue>Row_Number</fieldForValue>
        <search>
          <query>| inputlookup Alert_Suppress1.csv| streamstats count(sourcetype) as Row_Number</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <refresh>5s</refresh>
        </search>
      </input>
      <input type="checkbox" token="delete_tok" searchWhenChanged="true">
        <label>Delete</label>
        <fieldForLabel>value</fieldForLabel>
        <fieldForValue>value</fieldForValue>
        <search>
          <query>|makeresults |eval value= "Delete"</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <delimiter> </delimiter>
      </input>
               <html id="field10">
       <body>
       <a href="/app/search/alert_suppress" style="margin-left:0px">Reset</a>      
       <p /> 
       </body>
   </html>
      <table depends="$show_panel2$">
        <search>
          <done>
            <unset token="show_panel2"></unset>
          </done>
          <query>| inputlookup Alert_Suppress1.csv| streamstats count(sourcetype) as Row_Number  | eval Row_Number2= if($delete_tok|s$="Delete",$row_number_tok$,NULL) | where Row_Number != Row_Number2 | fields - Row_Number, Row_Number2 |  outputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel depends="$show_panel$">
      <title>Suppress Information</title>
      <table>
        <search>
          <query>| inputlookup Alert_Suppress1.csv| append [| makeresults |eval User=admin | eval sourcetype=$sourcetype_tok|s$ | eval START= $start_tok|s$ | eval END= $end_tok|s$  | eval Time=now() | eval Time=strftime(Time, "%d/%m/%Y %T") | eval User = $env:user|s$ |  fields - _time] | outputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <done>
            <unset token="show_panel"></unset>
          </done>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
  <row>
    <panel>
      <title>Suppress Information</title>
      <table>
        <search>
          <query>| inputlookup Alert_Suppress1.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
          <sampleRatio>1</sampleRatio>
          <refresh>5s</refresh>
          <refreshType>delay</refreshType>
        </search>
        <option name="count">20</option>
        <option name="dataOverlayMode">none</option>
        <option name="drilldown">none</option>
        <option name="percentagesRow">false</option>
        <option name="refresh.display">progressbar</option>
        <option name="rowNumbers">true</option>
        <option name="totalsRow">false</option>
        <option name="wrap">true</option>
      </table>
    </panel>
  </row>
</form>
0 Karma
Reply

aravindp
Explorer
‎02-04-2019 11:23 PM

@vishaltaneja07011993 Thanks for your response. I am looking at updating the existing entry either from index or from CSV. Is this possible?

I want user to add values for 2 new fields (example Sarcasm_Category and Product_Category) for the existing rows of the data. Is this Possible?

0 Karma
Reply

vishaltaneja070
Motivator
‎02-04-2019 11:44 PM

@arvinddp

yes updating the value is quite possible. you can create a panel for updating like select row_number which need to updated. And based on that you can update the values of different fields.
Like
| inputlookup Alert_Suppress1.csv | streamstats count(sourcetype) as Row_Number | eval sourcetype=if(Row_Number == 5, $tok_sourcetype|s$ , sourcetype) | outputlookup Alert_Suppress1.csv

Even if you have new fields that is also possible in the same way mentioned above.

0 Karma
Reply

aravindp
Explorer
‎02-05-2019 12:31 AM

@vishaltaneja07011993, would you please share some more light on this topic. I tried to replicate your code and amended it for update, but no luck.

0 Karma
Reply

aravindp
Explorer
‎02-04-2019 09:13 PM

I have also seen your old post https://answers.splunk.com/answers/23051/has-anyone-been-able-to-create-a-form-search-that-updates-a...
but need to know the working code

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...