Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why can't I push my data to a lookup table from a button?

robertlynch2020
Influencer
‎12-13-2018 08:47 AM

Hi,

I am trying to push data to a lookup table from a button.

   <html>
        <button class="btn" data-token-json="{&quot;|index=main | head 1 | table _time | outputlookup JMAP_BUTTON.csv&quot;}">JMAP_HISTO</button>
      </html>

But nothing is happening... not sure

As i have a more complex example and it works there:

 <html>
        <button class="btn" data-token-json="{&quot;execute_save_test&quot;:&quot;| eventstats max(ID) as max_ID | eval ID = if(isnull(ID),max_ID + 1,ID) | fields - max_ID | dedup ID | outputlookup Saved_Tests.csv&quot;, &quot;saved_test&quot;: true}">Save new test</button>
      </html>
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

robertlynch2020
Influencer
‎01-04-2019 08:41 AM

Hi

I think i got to the bottom of this.

So i think it is not possible to run this query from a button, this is why it was not working.
It is possible to set a token `(SET_TOKEN_TO_BE_USED) from the button and then use that token in a query that will re-run when the token is set and giving the effect that the button is working.

For Example - I set my token to the SPL of what i want SET_TOKEN_TO_BE_USED

<html>
         <button class="btn" data-token-json="{&quot;SET_TOKEN_TO_BE_USED&quot;:&quot;| SPL_THAT_I_WANT_TO_RUN_WHEN_BOTTON_IS_PRESSED&quot;: true}">DEMO_BUTTON</button>
       </html>

NEW QUERY (That will run when SET_TOKEN_TO_BE_USED is updated)

  <table depends="$never_show$">
        <search>
          <query>
                                                                                                                                            $SET_TOKEN_TO_BE_USED$</query>
          <done>

          </done>
        </search>
      </table>

I will 100% apply this solution and get back with an update

Rob

View solution in original post

Reply
Solved! Jump to solution
Solution

robertlynch2020
Influencer
‎01-04-2019 08:41 AM

Hi

I think i got to the bottom of this.

So i think it is not possible to run this query from a button, this is why it was not working.
It is possible to set a token `(SET_TOKEN_TO_BE_USED) from the button and then use that token in a query that will re-run when the token is set and giving the effect that the button is working.

For Example - I set my token to the SPL of what i want SET_TOKEN_TO_BE_USED

<html>
         <button class="btn" data-token-json="{&quot;SET_TOKEN_TO_BE_USED&quot;:&quot;| SPL_THAT_I_WANT_TO_RUN_WHEN_BOTTON_IS_PRESSED&quot;: true}">DEMO_BUTTON</button>
       </html>

NEW QUERY (That will run when SET_TOKEN_TO_BE_USED is updated)

  <table depends="$never_show$">
        <search>
          <query>
                                                                                                                                            $SET_TOKEN_TO_BE_USED$</query>
          <done>

          </done>
        </search>
      </table>

I will 100% apply this solution and get back with an update

Rob

Reply
Solved! Jump to solution

gmorris_splunk
Splunk Employee
Splunk Employee
‎07-24-2019 04:11 AM

Did this work? @robertlynch2020

0 Karma
Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎01-03-2019 06:23 AM

I agree with @p_gurav; remove the pipe ( | ) before | index=main. That should do it.

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎01-04-2019 08:42 AM

Woodcock - happy new year 🙂 Thanks for info, but this did not work, i posed an answer.

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-02-2019 10:05 PM

Try removing | before index=main

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎01-04-2019 08:42 AM

Thanks, but this did not work, i posted an answer.

0 Karma
Reply
Solved! Jump to solution

Vijeta
Influencer
‎12-13-2018 10:19 AM

Does your look up have field with name _time?

0 Karma
Reply
Solved! Jump to solution

robertlynch2020
Influencer
‎12-17-2018 09:02 AM

sorry for delay.

I can run the command form SPL and it works fine for me

|index=main | head 1 | table _time | outputlookup JMAP_BUTTON.csv

I can open the .csv file and i can see it is updated correctly.
The issues is getting it to run when i press the button, am i missing something?

0 Karma
Reply
Solved! Jump to solution

efavreau
Motivator
‎01-04-2019 07:17 AM

There is no command named index. So you aren't doing "| index=foo" in SPL, you're dropping the pipe. The details between the examples is not 1 for 1. You're complex example starts with {&quot;execute_save_test&quot;:&quot;
and ends &quot;, &quot;saved_test&quot;: true}.
I would double check your syntax between your examples. I tried to reproduce both examples and neither worked for me.

###

If this reply helps you, an upvote would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...