Splunk Search

How to create a Splunk Allowlist Dashboard?

Italy1358
Path Finder

I am trying to create a dashboard for an allowlist. Basically the user should be able to fill in the required fields and select whether to add, remove, or reauthorize the user and update the lookup table. This is what I have so far:

 

<form version="1.1" theme="dark">
<label>USB BAU Allowlist</label>
<description>This is a dashboard that will allow you to add and remove users to a usb allowlist with a BAU activity.</description>
<fieldset submitButton="true" autoRun="false">
<input type="text" token="user_tok" searchWhenChanged="false">
<label>User</label>
<default></default>
</input>
<input type="text" token="email_tok" searchWhenChanged="false">
<label>Email</label>
<default></default>
</input>
<input type="text" token="description_tok" searchWhenChanged="false">
<label>Description</label>
<default></default>
</input>
<input type="dropdown" token="revisit_tok" searchWhenChanged="false">
<label>Revisit</label>
<choice value="select">Select</choice>
<choice value="1 month">1 Month</choice>
<choice value="2 month">2 Month</choice>
<choice value="3 month">3 Month</choice>
<choice value="4 month">4 Month</choice>
<choice value="5 month">5 Month</choice>
<choice value="6 month">6 Month</choice>
</input>
<input type="dropdown" token="dropdown_tok" searchWhenChanged="false">
<label>Action</label>
<choice value="add">Add</choice>
<choice value="remove">Remove</choice>
<choice value="reauthorize">Reauthorize</choice>
<search>
<query>
</query>
</search>
</input>
</fieldset>
<row>
<panel>
<title>blah Lookup Table</title>
<table>
<title>blah Lookup</title>
<search>
<query>| inputlookup blah.csv | append [ | makeresults | eval user="$user_tok$", email="$email_tok$", description="$description_tok$", revisit="$revisit_tok$", Action="$dropdown_tok$" | fields - _time ] | table user, email, description, revisit | outputlookup blah.csv</query>
<earliest>-24h@h</earliest>
<latest>now</latest>
</search>
<option name="drilldown">none</option>
<option name="refresh.display">progressbar</option>
</table>
</panel>
</row>
</form>

 

Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

What is your question?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...

Ready, Set, SOAR: How Utility Apps Can Up Level Your Playbooks!

 WATCH NOW Powering your capabilities has never been so easy with ready-made Splunk® SOAR Utility Apps. Parse ...

DevSecOps: Why You Should Care and How To Get Started

 WATCH NOW In this Tech Talk we will talk about what people mean by DevSecOps and deep dive into the different ...