Insert data through a form/view?

cycheng · ‎08-27-2013

Is it possible that splunk read data through a view and after I click submit button, it will pull the data into a index? How can I do that?

jpass · ‎11-01-2013

I do something like this to allow users to submit comments / ratings / observations about events. The basic idea is that you create a 'custom command' which is a script that process the input of a search. The input is generated within a view (text box or other form selections). The values are submitted to a search module which makes the call to the custom command.

so a basic diagrammy thing:

view
form fields
submit button
search -
| eval value1=$formfield1$ | eval value2=$formfield2$ |

The custom command refers to a script, perl in my case, that resides in $splunk_home$/etc/apps/my_app/bin. This script simply reads the input from the search and writes the data. I write data to a database which I then create a scripted input in order to have splunk monitor and index those user submitted events. You might prefer to use a 'lookup' if the data is more supplemental to your existing events rather then separate events.

I write to a database but you could easily just write to a csv that is being monitored or is being used as a lookup table.

rturk · ‎08-27-2013

As far as I know, this functionality is not supported out of the box. Data onboarding best-practice typically involves examining the data away from Splunk before loading it in.

Uploading a file via the Manager console (Manager » Add data » A file or directory of files) is probably the closest you'll get to what your after when you use it conjunction with the "Preview data before indexing" used. There's a few button clicks involved, but it does what you're after.

Insert data through a form/view?

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?