Splunk Dev
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

In Splunk, is it possible for users to write and edit a data form (similar to Google/Excel spreadsheet) for later analysis?

chanduira
Explorer
‎12-23-2016 05:37 AM

Hi Experts,

I want to allow users to feed data over Splunk portal like how people feed data on Google online spreadsheet.

Later I will use this data to do analysis.

Is there any option to enable this type of feature in Splunk?

Tags (2)
0 Karma
Reply

niketn
Legend
‎12-23-2016 08:37 AM

You can try exploring Lookup File Editor App on Splunkbase it is not Splunk Certified or Supported however, the app is supported on Splunk Enteprise version 6.1 through 6.5.

This app will allow you to edit and save CSV as lookup table to Splunk similar to the way Excel is used.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply

arkadyz1
Builder
‎12-23-2016 08:16 AM

First of all, understand that Splunk's data are immutable. Once the event is in, you cannot change it anymore. It's a WORM (Write Once, Read Many) data repository. So editing data like Google Docs allows you to do is against the Splunk's nature, and I would mark it "impossible" for most intents and purposes.

However, if you want to save user's input as an event, you can do that with a variety of ways. The form you use does not have to be in Splunk - in fact, it will be easier to have it separately somewhere. Then, once the input is complete and the user presses something like "Submit" button, you can form the event - with timestamp and fields, best done in timestamp, name=value format, comma or space separated - and send it over.

So where to "send it over"? On the Splunk side, you can create a TCP or UDP data input which would listen on a port of your choice where you would then send your data. The index, sourcetype and other metadata would be determined by your inputs.conf (the input can be created interactively via Splunk Web). If you want more control on your online form side, take a look into HttpEventCollector - it's a relatively new, but immensely useful feature.

0 Karma
Reply

somesoni2
Revered Legend
‎12-23-2016 07:03 AM

Splunk is essentially not a data entry tool. Could you provide more details on what (why) you're trying to do in Splunk?

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...