Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

User defined inputs for a field in splunk

Chandras11
Communicator
‎05-22-2018 11:17 AM

Hi,

I have a situation, where user/admin need to verify if the event should be taken into consideration or not.
In excel, I have a field where user/admin can put YES or NO values. By default, all values are YES but if user disagrees, the field value can be changed to NO.

Is it possible in Splunk to eval or create a field with boolean YES/NO, which can be changed by user/admin? Or if there is any other way to do this.

Thanks a lot for your time and help.

0 Karma
Reply

niketn
Legend
‎05-22-2018 12:40 PM

@chandras11, ideally you should look into setting up Workflow Actions if your decision is based on Events.
An option for you to perform such kind of operation within Splunk would be to setup a KV Store where a form can be setup for Users/Admins to update the value while everyone can read the value through lookup commands similar to CSV.

PS: This can also be done via csv Lookup File. However, for details on the same can be provided based on further details as to what kind of events you are looking at and under what circumstance should the value be changed? How is this Yes/No mapped to events and what does it indicate?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

Chandras11
Communicator
‎05-22-2018 11:27 PM

Thanks a lot for this info.
I have the whole incident tickets index (1000+ on a monthly basis). And I want to check which of the rejected tickets (100+ on monthly basis) cab be invoiced or not. The User/Admin need to go through the various fields (already included in the event) and then decide if the tickets should be invoiced or not.
Therefore the question was to add a user-defined input field for all selected events and then use this field for further calculations.

0 Karma
Reply

PowerPacked
Builder
‎05-22-2018 11:32 AM

Hi @Chandras11

add csv file to splunk through - settings - lookups - lookup tables

Use lookup command to add the field with YES/NO to every event,

ex: your search | lookup 123.csv host as hostname output fieldyesno

finally filter out the events just with doing -- fieldyesno=YES/NO as per your wish

Please go through this lookup documentation, willl be helpfull

http://docs.splunk.com/Documentation/Splunk/7.1.0/SearchReference/Lookup

Thanks

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...