Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

I want to modify Lookup file directly through the dashboard

qkwltk
Path Finder
‎11-05-2012 12:33 AM

Hi, Nice to Meet you.
I am junior Splunk Developer.

Please Help me for my Hard Work..
The contents are as follow below

I want to Make Function that

  1. when users enter the dashboard panel,
  2. then insert something they want through textfield.
  3. and click the save button
  4. modify /etc/apps/[myapp]/lookup/myfile.csv file directly.

Look-up file to modify and add, delete.

I look forward your perfect answer.
Sincerely yours

Tags (3)
Reply
1 Solution
Solved! Jump to solution
Solution

MHibbin
Influencer
‎11-05-2012 01:08 AM

I had a "weird" (well I thought so until I saw this) use-case, that involved modifying lookups from Splunkweb...

Basically you will need to follow these steps (well this is how I got a solution):

  1. Write a python script to interact with the file
  2. Create/Edit a commands.conf file in your Splunk App
  3. Write a search query to take user input from text box

To give some more detail on this...

You will need to write a python script that will take standard system arguments (i.e. "sys.argv[n]") and apply them to the file of choice. If you a not familiar with writing Python scripts, it is quite an easy language to grasp the basics that you will need for this task. You should look at the following sources for support, if you need them:

http://stackoverflow.com/
http://www.python.org/doc/
http://docs.python.org/tutorial

You will need to make sure that you are writing your script for Python version 2.7, as this is the version that Splunk is using.

Once you have the script written and tested. You will need to create a command.conf file in your app's directory (e.g. "$SPLUNK_HOME/etc/apps/<yourApp>/local/commands.conf"). This will be the method for informing Splunk that you have written a new script for it to use. The following is a simple example of how this may be setup, but you may wish to look at the spec file for more potential:

[yourCommand]
filename = /path/to/you/command.py

The following resources, can help here:

http://docs.splunk.com/Documentation/Splunk/5.0/admin/Commandsconf
http://docs.splunk.com/Documentation/Splunk/4.3.3/Developer/SearchScripts

You will then need to restart Splunk to apply these changes.

Now you will need to create a form that will handle the user's input. This view will include a the use of your script/command, "yourCommand", where you would use the user input (e.g. in the form xml, this would be something like "$foo$"). The following links would be able to help here:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Developer/Step1CreateAForm
http://docs.splunk.com/Documentation/Splunk/4.3.1/Developer/AdvancedFormSearch

You should then be good to go.

View solution in original post

Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-07-2012 05:23 PM

I just thought I'd post a note here. I'm working on a new interface in Sideview Utils called Lookup Updater, and the next version of it should have create/update/delete for rows in existing lookups. As well as a way to just reupload a full fresh copy of the entire lookup from a local CSV. I'll try and repost when it's up but I'm shooting for next week.

Cheers.

Reply
Solved! Jump to solution

alexiri
Communicator
‎12-03-2012 06:20 AM

You, sir, are a god.

0 Karma
Reply
Solved! Jump to solution

sideview
SplunkTrust
SplunkTrust
‎11-25-2012 09:16 PM

It actually released, in prototype form at least, as a part of Sideview Utils 2.2.6... Try it out and let me know if you hit any problems. I fully expect to rev it again this week so please find things wrong with it. The view name is update_lookup and there's a link to it from the "tools" page.

Reply
Solved! Jump to solution

lukeh
Contributor
‎11-25-2012 06:22 PM

any luck with Lookup Updater? super keen 🙂

0 Karma
Reply
Solved! Jump to solution

qkwltk
Path Finder
‎11-07-2012 09:19 PM

Thanks to your comment! 😄

I wonder Some Detail points that

  1. when I using updated sideview util?
  2. Is it have a cost?
  3. We have no time to develop.. So could you give me some advice to develop?

Thanks to your kindness again, and I look forward to your answer ^^ Bye~

0 Karma
Reply
Solved! Jump to solution
Solution

MHibbin
Influencer
‎11-05-2012 01:08 AM

I had a "weird" (well I thought so until I saw this) use-case, that involved modifying lookups from Splunkweb...

Basically you will need to follow these steps (well this is how I got a solution):

  1. Write a python script to interact with the file
  2. Create/Edit a commands.conf file in your Splunk App
  3. Write a search query to take user input from text box

To give some more detail on this...

You will need to write a python script that will take standard system arguments (i.e. "sys.argv[n]") and apply them to the file of choice. If you a not familiar with writing Python scripts, it is quite an easy language to grasp the basics that you will need for this task. You should look at the following sources for support, if you need them:

http://stackoverflow.com/
http://www.python.org/doc/
http://docs.python.org/tutorial

You will need to make sure that you are writing your script for Python version 2.7, as this is the version that Splunk is using.

Once you have the script written and tested. You will need to create a command.conf file in your app's directory (e.g. "$SPLUNK_HOME/etc/apps/<yourApp>/local/commands.conf"). This will be the method for informing Splunk that you have written a new script for it to use. The following is a simple example of how this may be setup, but you may wish to look at the spec file for more potential:

[yourCommand]
filename = /path/to/you/command.py

The following resources, can help here:

http://docs.splunk.com/Documentation/Splunk/5.0/admin/Commandsconf
http://docs.splunk.com/Documentation/Splunk/4.3.3/Developer/SearchScripts

You will then need to restart Splunk to apply these changes.

Now you will need to create a form that will handle the user's input. This view will include a the use of your script/command, "yourCommand", where you would use the user input (e.g. in the form xml, this would be something like "$foo$"). The following links would be able to help here:

http://docs.splunk.com/Documentation/Splunk/4.3.1/Developer/Step1CreateAForm
http://docs.splunk.com/Documentation/Splunk/4.3.1/Developer/AdvancedFormSearch

You should then be good to go.

Reply
Solved! Jump to solution

qkwltk
Path Finder
‎11-07-2012 04:30 PM

Sorry, I can't express the situation well..

*The Point is , User's input data( such as like word, apple, juice, any other word,) is stored in /etc/apps/[myapp]/lookup/mylookupfile.csv

*User's input data is writable in the splunk dashboard

Thanks to your help! 🙂

0 Karma
Reply
Solved! Jump to solution

MHibbin
Influencer
‎11-07-2012 01:39 AM

Hi, I'll have to apologise, however I don't understand your question.

0 Karma
Reply
Solved! Jump to solution

qkwltk
Path Finder
‎11-06-2012 09:30 PM

Hi! How is your Day? 😄
Reading your appreciate Data, I have a question

"myscript.py" script is doing work when sourcetype or index data is kept
ex) index=* | myscript | stats func(field)..

Just I want that..

  1. when user put the data in splunk web Dashboard Panel,
  2. data saved and modified /etc/apps/[myapp]/lookups/mylookup.csv -> some data is changing my new data
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Splunk Enterprise Security 8.0 revolutionizes the SOC workflow experience from the ground up. Now security ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...