Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Manual Input Form

gabarrygowin
Path Finder
‎03-10-2018 06:36 PM

Hi all,

Well a long night and day of reading about every post on forms and manual input to no avail.

I'm looking for a way to have my ops team input thier daily checks from a Splunk dashboard (vice uploading the form daily from Sharepoint).

Here's my code, but the submit button just doesn't do anything to get selected data into the indexes.

"





<![CDATA[ | inputlookup splunkcheckadmins.csv | fields "AdministratorName" | dedup "AdministratorName" ]]>




<![CDATA[ | inputlookup checkperformed.csv | fields "CheckPerformed" | dedup "CheckPerformed" ]]>



Checktype="
"
Daily
Daily
Weekly
Monthly



Check="
"
Complete, No Issues noted
Complete, No Issues noted
Complete, Issue Identified
Not Completed




Chart of Daily Checks

index=* "Splunk" AND ("Completed" OR "Not Completed") | timechart count
-24h@h
now

column


Table of Events for user="$username$" and $source$

index=_internal user=$username$ $source$ | table _time, user, sourcetype, _raw
-24h@h
now

true
true
none
row
5


"

Thoughts?

Thanks for reading!

Tags (1)
0 Karma
Reply

gabarrygowin
Path Finder
‎03-14-2018 05:34 PM

Update:

Got things mostly working just need help setting current user into a text field (vice current dropbox).

"***

S&I System Checks

<input type="dropdown" token="Administrator">

  <label>Administrator Performing Check:</label>

  <search>

    <query>| inputlookup splunkcheckadmins.csv | fields

`"Administrator" | dedup "Administrator"

  </search>

  <fieldForLabel>Administrator</fieldForLabel>

  <fieldForValue>Administrator</fieldForValue>

  <prefix>Administrator="</prefix>

  <suffix>"</suffix>

</input>

<input type="dropdown" token="CheckPerformed">

  <label>System or Item Checked:</label>

  <search>

    <query>| inputlookup checkperformed.csv | fields

`"CheckPerformed" | dedup "CheckPerformed"

  </search>

  <fieldForLabel>CheckPerformed</fieldForLabel>

  <fieldForValue>CheckPerformed</fieldForValue>

  <prefix>CheckPerformed="</prefix>

  <suffix>"</suffix>

</input>

<input type="radio" token="CheckType">

  <label>Select Checktype:</label>

  <default>Daily</default>

  <choice value="Daily">Daily</choice>

  <choice value="Weekly">Weekly</choice>

  <choice value="Monthly">Monthly</choice>

  <prefix>CheckType="</prefix>

  <suffix>"</suffix>

</input>

<input type="radio" token="CheckStatus">

  <label>Check Status:</label>

  <default>Complete, No Issues noted</default>

  <choice value="Complete, No Issues noted">Complete, No Issues

``noted

<choice value="Complete, Issue Identified and being

`worked">Complete, Issue Identified

  <choice value="Not Completed">Not Completed</choice>

  <prefix>CheckStatus="</prefix>

  <suffix>"</suffix>

</input>





<panel>

  <table>

    <search>

      <query>|makeresults |eval _time=now() | eval $Administrator$ |eval $CheckPerformed$  | eval $CheckType$ | eval $CheckStatus$ | table _time, Administrator, CheckPerformed, CheckType, CheckStatus | outputlookup append=true GenAtomicsCheck.csv</query>

      <earliest>$earliest$</earliest>

      <latest>$latest$</latest>

    </search>

    <option name="count">10</option>

    <option name="refresh.display">progressbar</option>

  </table>

</panel>





<panel>

  <table>

    <search>

      <query>| inputlookup GenAtomicsCheck.csv | stats count by _time, Administrator, CheckPerformed, CheckStatus, CheckType | sort - _time | fields - count</query>

      <earliest>@d</earliest>

      <latest>now</latest>

      <refresh>1m</refresh>

      <refreshType>delay</refreshType>

    </search>

    <option name="count">20</option>

    <option name="refresh.display">none</option>

  </table>

</panel>

<panel>

  <single>

    <search>

      <query>| inputlookup GenAtomicsCheck.csv | chart count as CheckPerformed</query>

      <earliest>@d</earliest>

      <latest>now</latest>

      <refresh>1m</refresh>

      <refreshType>delay</refreshType>

    </search>

    <option name="colorMode">block</option>

    <option name="rangeColors">

`["0xd93f3c","0xf7bc38","0x65a637"]

    <option name="rangeValues">[2,19]</option>

    <option name="refresh.display">none</option>

    <option name="useColors">1</option>

    <option name="useThousandSeparators">1</option>

  </single>

</panel>

***"

0 Karma
Reply

tiagofbmm
Influencer
‎03-21-2018 09:56 AM

Please let me know if the answer was useful for you. If it was, accept it and upvote. If not, give us more input so we can help you with that

0 Karma
Reply

gabarrygowin
Path Finder
‎03-12-2018 04:19 AM

Hi!

Thanks for the response, had to step away from this for a day.

How's this? Yes, trying to provide a simple form that people use to select a couple items and submit the selected data to Splunk. Not really concerned which index.

S&I System Checks

<input type="dropdown" token="AdministratorName">

  <label>Administrator Performing Check:</label>

  <search>

    <query>| inputlookup splunkcheckadmins.csv | fields "AdministratorName" | dedup "AdministratorName"</query>
  </search>

  <fieldForLabel>AdministratorName</fieldForLabel>

  <fieldForValue>AdministratorName</fieldForValue>

</input>

<input type="dropdown" token="CheckPerformed">

  <label>System or Item Checked:</label>

  <search>

    <query>| inputlookup checkperformed.csv | fields "CheckPerformed" | dedup "CheckPerformed"</query>

  </search>

  <fieldForLabel>CheckPerformed</fieldForLabel>

  <fieldForValue>CheckPerformed</fieldForValue>

</input>

<input type="radio">

  <label>Select Checktype:</label>

  <prefix>Checktype="</prefix>

  <suffix>"</suffix>

  <default>Daily</default>

  <choice value="Daily">Daily</choice>

  <choice value="Weekly">Weekly</choice>

  <choice value="Monthly">Monthly</choice>

</input>

<input type="radio">

  <label>Check Status:</label>

  <prefix>Check="</prefix>

  <suffix>"</suffix>

  <default>Complete, No Issues noted</default>

  <choice value="Complete, No Issues noted">Complete, No Issues noted</choice>

  <choice value="Complete, Issue Identified and being worked">Complete, Issue Identified</choice>

  <choice value="Not Completed">Not Completed</choice>

</input>
0 Karma
Reply

tiagofbmm
Influencer
‎03-11-2018 03:08 AM

Hi

Help me understand. Do you want to create a dashboard that has table where people fill some things in it and then collect that data into a specific index?

Could you clean up the way you show your code so it is understandable what is going on where?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...

SplunkTrust Application Period is Officially OPEN!

It's that time, folks! The application/nomination period for the 2026-2027 SplunkTrust is officially open. If ...