Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to create a drop down with add and remove choi...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to create a drop down with add and remove choices that will then remove or add the user?
Would like a way to create a drop down with add and remove choices that will then remove or add the user from the lookup table. So far I have:
<input type=“dropdown” token=“dropdown_tok” searchWhenChanged=“false”>
<label>Action</label>
<choice value=“add”>Add</choice>
<choice value=“remove”>Remove</choice>
<choice value=“reauthorize”>Add</choice>
<search>
<query>
</query>
</search>any help would be great!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can use outputlookup to rewrite a lookup kv store. Obviously, you should be careful to ensure you don't lose all the entries accidentally. For example, you could list the contents of the store, when the user selects a row to be removed, use the drilldown to move it to a "validation" panel, when they then check that the action is what they want, then remove the row from the list and rewrite the lookup store. Personally, I have done this with an additional check that also only enables this for certain users e.g. me 😀 Also, the rewrite is done in a hidden panel so it is less easy for the users to bypass this check.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could you provide me with a sample? I am new to Splunk and I think I understand your response but would like a visual if possible.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Disclaimer: This is a cut-down version of what I use - there is no guarantee that it will work for you - use with extreme caution - I accept no responsibility for any loss to your data, etc.
<form>
<label></label>
<search>
<query>
index=foo
| eval allowedit=if($env:user|s$="updater","true",null())
</query>
<earliest>-15m@m</earliest>
<latest>@m</latest>
<done>
<condition match=" 'result.allowedit'="true"">
<set token="allowedit">$result.allowedit$</set>
</condition>
</done>
</search>
<init>
<eval token="refresh">now()</eval>
</init>
<row>
<panel>
<table>
<search>
<query>
| inputlookup lookup.csv
| eval dummy=$refresh$
| table field1 field2 field3
</query>
<earliest>0</earliest>
<latest></latest>
</search>
<option name="drilldown">row</option>
<option name="refresh.display">progressbar</option>
<drilldown>
<eval token="csvfield1">$row.field1$</eval>
<eval token="csvfield2">$row.field2$</eval>
<eval token="csvfield3">$row.field3$</eval>
<unset token="form.updatecsvconfirm"></unset>
</drilldown>
</table>
</panel>
<panel depends="$allowedit$">
<title></title>
<input type="text" token="csvfield1" searchWhenChanged="false">
<label>Field1</label>
</input>
<input type="text" token="csvfield2" searchWhenChanged="false">
<label>Field2</label>
</input>
<input type="text" token="csvfield3" searchWhenChanged="false">
<label>Field3</label>
</input>
<input type="checkbox" token="updatecsvconfirm" searchWhenChanged="true">
<label>Confirm to save</label>
<change>
<condition match="$updatecsvconfirm$="OK"">
<set token="updatefield1">$csvfield1$</set>
<set token="updatefield2">$csvfield2$</set>
<set token="updatefield3">$csvfield3$</set>
</condition>
</change>
<choice value="OK">Confirmed</choice>
<delimiter> </delimiter>
</input>
</panel>
<panel depends="$alwaysHide$">
<table>
<search>
<query>
| inputlookup lookup.csv
| eval dummy="$updatecsvconfirm$"
| fields - dummy
| append
[| makeresults
| fields - _time
| eval field1="$updatefield1$"
| eval field2="$updatefield2$"
| eval field3="$updatefield3$"]
| outputlookup lookup.csv append=f
</query>
<done>
<eval token="refresh">now()</eval>
<unset token="form.updatecsvconfirm"></unset>
</done>
</search>
<option name="drilldown">none</option>
</table>
</panel>
</row>
</form>
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I still need help getting my dropdown choices to work. I have an add and remove, when the add is selected and you press submit it should add the user to the lookup table but if remove is selected and you press submit it should remove the row what that users name. @ITWhisperer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could do that with another panel / option which removes the matching line
| inputlookup lookup.csv
| eval dummy="$deletecsvconfirm$"
| fields - dummy
| where field1!="$updatefield1$" AND field2!="$updatefield2$" AND field3!="$updatefield3$"
| outputlookup lookup.csv append=f- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<input type="dropdown" token="dropdown_tok" searchWhenChanged="false">
<label>Action</label>
<choice value="add">Add</choice>
<choice value="remove">Remove</choice>
<choice value="reauthorize">Reauthorize</choice>
<search>
<query>
</query>
</search>
</input>
</fieldset>
<row>
<panel>
<title>USB BAU Lookup Table</title>
Am I able to add the query right under the dropdown query area?
<table>
</form>
@ITWhisperer
CX Day is Coming!
Strengthen Your Future: A Look Back at Splunk 10 Innovations and .conf25 Highlights!
Now Offering the AI Assistant Usage Dashboard in Cloud Monitoring Console
