It’s pretty simple to create a table in Splunk. By default, Splunk needs to refetch the data in order to filter it down. However, what if you had a set of data and you wanted to easily filter that table in real-time?
Let’s say you have a predefined list of subnets in a lookup. You shouldn’t have to refetch the data to find a match, if you’re searching for something specific, especially since the data isn’t changing frequently enough. In this case, having something that filters in real-time would be much more effective.
I am going to take you through step-by-step how to do just that. Due to the amount of content we will be covering, this tutorial will be split into two separate posts. The first portion will cover the basics of setting up an app through the Splunk Web Framework, which will result in the creation of a custom input field and table. The second will cover how to add the filtering functionality to what we have built in the first.
Oh, and if you enjoy a more visual route, there are related screencasts split across three videos.
Already familiar with the Splunk Web Framework? You will probably be alright skimming through this first part.
Part 1: The Necessities
Download the zipped db_exploits.csv file. This contains a list of database exploits (http://www.exploit-db.com/) and we will use this data to populate our lookup. Once you have this downloaded, go into Splunk and create a new lookup table from this .csv file. We’ll be referencing it in our search as| inputlookup db_exploits.csv
Feel free to also download working examples of the app:
Part 2: Create Your App
Since we are using the built-in Splunk Web Framework, we are going to create our app from the command line at $SPLUNK_HOME/etc/apps/framework and run: ./splunkdj createapp <appname> #name whatever you like
It will then ask for your username and password and then prompt you with: The <appname> app was created at ‘$SPLUNK_HOME/etc/apps/<appname>’. Please restart Splunk.
Once you restart, go to http://localhost:8000/dj/en-us/<appname>/home/ and you should see something like this: