Splunk Search

Is it possible to create a field in Splunk based off a user's input?

ashnet16
Path Finder

Example: I want the user to enter a domain name and I want the report to perform a search based on the user's input? Any info would help. Could this be done using the web framework?

1 Solution

alacercogitatus
SplunkTrust
SplunkTrust

Woe be to you! that heeds not the postulation and cogitation of the Ancients! For they devised the language of our Splunktonian Utopian society! They have thus updated our culture with such wondrous merriment that is said to be "Simple XML Forms"! Only in versions 6.1 and more, shall ye find the verbalized form of unicorn tears. And here! The Scribes have documented for all generations the proper incantations to be used: http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/Buildandeditforms#Basic_form_example. BEHOLD! THE USER IS POWERFUL ONCE AGAIN!

View solution in original post

wpreston
Motivator

Sure this can be done, and you can do it through the dashboard GUI if you're using Splunk 6.1.x:

  1. In the Dashboard GUI, select the Add Input button and select "Text".
  2. Click the pencil icon on the Text field you just created.
  3. Put a value in the "Label" field, for instance "Enter the desired domain name", and enter a value in the Token field, for instance UserSuppliedDomain, then click apply.
  4. Add a new panel with your search in it. In the part of your search in which you want to substitue the user's input, use $Token_Name$. So for what I used above, I would put $UserSuppliedDomain$. A partial example of the search might look like this:

    ... domain=$UserSuppliedDomain$ ...

That's it, the search should automagically substitute the value the user input for the value in the search that creates the panel. See
the docs here for more information.

ashnet16
Path Finder

Thanks!!! Very helpful!

alacercogitatus
SplunkTrust
SplunkTrust

Woe be to you! that heeds not the postulation and cogitation of the Ancients! For they devised the language of our Splunktonian Utopian society! They have thus updated our culture with such wondrous merriment that is said to be "Simple XML Forms"! Only in versions 6.1 and more, shall ye find the verbalized form of unicorn tears. And here! The Scribes have documented for all generations the proper incantations to be used: http://docs.splunk.com/Documentation/Splunk/6.1.3/Viz/Buildandeditforms#Basic_form_example. BEHOLD! THE USER IS POWERFUL ONCE AGAIN!

RicoSuave
Builder

this hath to be the most epic answereth ev'r. thou sir art a winn'r!

ashnet16
Path Finder

Greatest answer ever!

wpreston
Motivator

kudos, a much more entertaining answer 🙂

Get Updates on the Splunk Community!

New Dates, New City: Save the Date for .conf25!

Wake up, babe! New .conf25 dates AND location just dropped!! That's right, this year, .conf25 is taking place ...

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud

Introduction to Splunk Observability Cloud - Building a Resilient Hybrid Cloud  In today’s fast-paced digital ...

Observability protocols to know about

Observability protocols define the specifications or formats for collecting, encoding, transporting, and ...