Be Nice To Your Users ... And Your Lookups!



In today's blog I will describe a method that we recently used at a customer site in order to solve a problem for a portion of their Splunk user base. This group does consist of frequent and avid users of Splunk, however they have a fairly low permission level and for the most part, are not the most tech-savvy. Their use of Splunk is limited to only one app and the pre-built dashboards within it. 

The requirement for this user group was as follows: They wanted a lookup table where they could enter some notes for specific product ids. They also wanted this lookup to capture the user who made the note and the time and date of the note. This lookup table would then be used in other dashboards. 

Our task boiled down to providing a way that these users could add to or update a lookup table via a dashboard in their custom app. We certainly did not want to elevate their access level within Splunk, and above all, our primarly goal was to make this as easy as possible for the users.

Our Method

We decided to make a form that would have 2 text boxes. Here the user would enter the product number and their comment. When they clicked submit on the form it would then run a search that would both update the lookup table based on the user's entry, and it would display out the contents of the table. 

The search itself does a few unique things to meet their requirements from above:

  1. The two form fields are captured as tokens and used as values to be added to the lookup table.
  2. It captures the current time and adds it to the lookup table.
  3. It contains a subsearch/join which utilizes a REST call to pull back the Splunk user who is logged in and making the lookup change. This is added to the lookup table.
  4. An inputlookup (append=true) is run, followed by a dedup on the product number. This is done in order to eliminate duplicate entries for product numbers. The latest entered values for a specific product number will be all that is saved into the lookup table.
  5. An outputlookup is run to update the lookup table.


  <label>Product Notes - Lookup Updater</label> 
  <fieldset autoRun="false" submitButton="true"> 
    <input type="text" token="prod_num" searchWhenChanged="false"> 
      <label>Enter Product Number:</label> 
        <input type="text" token="user_comment" searchWhenChanged="false"> 
      <label>Enter Comment:</label> 
| eval prod_number="$prod_num$" | eval user_comment="$user_comment$" 
| eval cur_time=now() | convert timeformat="%Y-%m-%d %H:%M:%S" ctime(cur_time) 
| table prod_number user_comment cur_time
| join [rest /services/authentication/current-context/context | search NOT username="splunk-system-user"
| head 1 | fields username] 
| rename username as employee_id 
| dedup employee_id
| table prod_number employee_id user_comment cur_time 
| inputlookup append=true product_notes.csv
| dedup prod_number
| outputlookup product_notes.csv
| table prod_number employee_id user_comment cur_time 
| sort -cur_time
      <option name="list.drilldown">full</option> 
      <option name="list.wrap">1</option> 
      <option name="maxLines">5</option> 
      <option name="raw.drilldown">full</option> 
      <option name="rowNumbers">true</option> 
      <option name="table.drilldown">1</option> 
      <option name="table.wrap">1</option> 
      <option name="type">list</option> 
      <option name="wrap">true</option> 
      <option name="dataOverlayMode">none</option> 
      <option name="drilldown">none</option> 
      <option name="count">100</option> 


Happy Splunking!

Subscribe to Our Newsletter

Stay In Touch