Dashboards & Visualizations

dashboard can add value to lookup through submit button.,,,Need a button to remove from lookup (so users can blacklist and whitelist servers)

spluzer
Communicator

Hey Splunksters,

Noob here. I have a dashboard that can add values (server names) to a lookup so users can easily blacklist servers. The xml below works. However, I need to add a button so the user can remove the server from the blacklist when they are finished. Any thoughts? Thanks!

<form>
  <label>Dashboard Blacklist Toggle</label>
  <fieldset submitButton="true" autoRun="false">
    <input type="text" token="hostname">
      <label>Host</label>
    </input>
  </fieldset>
  <row rejects="$field1$">
    <panel>
      <table>
        <search>
          <query>| inputlookup alert_blist.csv | table host</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
  <row depends="$field1$">
    <panel>
      <table>
        <search>
          <query>| inputlookup alert_blist.csv | append [ | makeresults | eval host="$hostname$"| fields - _time ] |  table host  | outputlookup alert_blist.csv</query>
          <earliest>-24h@h</earliest>
          <latest>now</latest>
        </search>
        <option name="drilldown">none</option>
        <option name="refresh.display">progressbar</option>
      </table>
    </panel>
  </row>
</form>
Tags (3)
0 Karma
1 Solution

woodcock
Esteemed Legend

You don't need a button, just create a drilldown with SPL like this:

| inputlookup alert_blist.csv
| search NOT $click.name$=$click.value$
| outputlookup alert_blist.csv

Check out the Dashboard Examples app for how to build the drilldown.

View solution in original post

woodcock
Esteemed Legend

You don't need a button, just create a drilldown with SPL like this:

| inputlookup alert_blist.csv
| search NOT $click.name$=$click.value$
| outputlookup alert_blist.csv

Check out the Dashboard Examples app for how to build the drilldown.

spluzer
Communicator

Thanks again. So, I implemented the click to remove drilldown. However, it seems to delete the entire lookup. Moreover, it redirects to a new page. Is there a way to just add another button? rather than drilldown click?

Dashboard Blacklist Toggle test

<input type="text" token="hostnamet" searchWhenChanged="true">
  <label>Host</label>
</input>


<panel>
  <table>
    <search>
      <query>| inputlookup alert_tblist.csv | table host</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
    <option name="drilldown">cell</option>
     <option name="refresh.display">progressbar</option>
    <drilldown>
      <link target="_self">search?q=%7C%20inputlookup%20alert_tblist.csv%20%0A%7C%20search%20NOT(host=%22$click.host$%22)%0A%7C%20outputlookup%20alert_tblist.csv&amp;earliest=-24h@h&amp;latest=now</link>
    </drilldown>
  </table>
</panel>


<panel>
  <table>
    <search>
      <query>| inputlookup alert_tblist.csv | append [ | makeresults | eval host="$hostnamet$"| fields - _time ] |  table host  | outputlookup alert_tblist.csv</query>
      <earliest>-24h@h</earliest>
      <latest>now</latest>
    </search>
    <option name="drilldown">none</option>
    <option name="refresh.display">progressbar</option>
  </table>
</panel>
0 Karma

woodcock
Esteemed Legend

I made a slight mistake. It should be NOT $click.name$=$click.value$; the answer has been edited and updated.

0 Karma

spluzer
Communicator

Thanks again for your help! Ok soooo, It technically works. However, clicking the hosts redirects to a new page, that runs the query, but only after you select "run" on a splunk outputlookup warning page as follows:

Warning

The search you are about to run contains commands that might present a security risk. The commands are: outputlookup

Do you want to investigate the search string?|

CANCEL RUN INVESTIGATE

. Its weird, because I use outputlookup frequently in other context (like a dropdown for instance) and it doesn't require me to select run from a warning pop-up...Anybody else seen this. Is there a way to stay on the same page (prevent redirect) after clicking the host the user wants to remove?

0 Karma

woodcock
Esteemed Legend

Yes, that is annoying; disable it like this:
https://docs.splunk.com/Documentation/Splunk/latest/Security/SPLsafeguards#Turning_off_the_warning

Be sure to come back and click Accept to close the question.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Here's an untested option.

| inputlookup alert_blist.csv | search NOT [ | makeresults | eval host="$hostname$"| fields host ] |  table host  | outputlookup alert_blist.csv
---
If this reply helps you, Karma would be appreciated.
0 Karma

spluzer
Communicator

Thanks. I think I see your logic. However, I can't figure out how to "plug " it in to the xml. Forgive me, I'm stooopid.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...