Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

In Splunk, is it possible for users to write and edit a data form (similar to Google/Excel spreadsheet) for later analysis?

chanduira
Explorer
‎12-23-2016 05:37 AM

Hi Experts,

I want to allow users to feed data over Splunk portal like how people feed data on Google online spreadsheet.

Later I will use this data to do analysis.

Is there any option to enable this type of feature in Splunk?

Tags (2)
0 Karma
Reply

niketn
Legend
‎12-23-2016 08:37 AM

You can try exploring Lookup File Editor App on Splunkbase it is not Splunk Certified or Supported however, the app is supported on Splunk Enteprise version 6.1 through 6.5.

This app will allow you to edit and save CSV as lookup table to Splunk similar to the way Excel is used.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

arkadyz1
Builder
‎12-23-2016 08:16 AM

First of all, understand that Splunk's data are immutable. Once the event is in, you cannot change it anymore. It's a WORM (Write Once, Read Many) data repository. So editing data like Google Docs allows you to do is against the Splunk's nature, and I would mark it "impossible" for most intents and purposes.

However, if you want to save user's input as an event, you can do that with a variety of ways. The form you use does not have to be in Splunk - in fact, it will be easier to have it separately somewhere. Then, once the input is complete and the user presses something like "Submit" button, you can form the event - with timestamp and fields, best done in timestamp, name=value format, comma or space separated - and send it over.

So where to "send it over"? On the Splunk side, you can create a TCP or UDP data input which would listen on a port of your choice where you would then send your data. The index, sourcetype and other metadata would be determined by your inputs.conf (the input can be created interactively via Splunk Web). If you want more control on your online form side, take a look into HttpEventCollector - it's a relatively new, but immensely useful feature.

0 Karma
Reply

somesoni2
Revered Legend
‎12-23-2016 07:03 AM

Splunk is essentially not a data entry tool. Could you provide more details on what (why) you're trying to do in Splunk?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...