Form searches

Form searches

Form searches allow you to create reusable searches for casual or non-technical Splunk users. Form searches are saved searches that appear as forms with parameters to be specified by the user running the search. The user doing the searching must fill in these parameters, or form fields before running the search. You can create a very complicated saved search and save it as a form with as many form fields as you like.

For example, you can define a search that returns all Web server errors for a username that the user doing the searching specifies:

This search appears as a form labeled user.

The search 503 OR 500 OR 404 sourcetype::access_common is still contained in the form search, but does not appear to the user.

Note: Form search works via text substitution so the changeable part of a search can be anything, not just a search or an extracted field.

Create a form search

Create a form search the same way you create a saved search, with these additional steps:

• Decide which parts of the search will be variable.
• Turn these into form fields by surrounding them with dollar signs ($).

For example, the search

will appear as the following:

Form searches with fields

You can also create form searches for search and extracted fields.

With search fields

Preface your form field with the search field name.

The search:

can be made into a general (form) search for any sourcetype by adding sourcetype after the search field name and surrounding it with dollar signs:

Save this search as Daily indexing volume, and a user running the search sees:

Note that the timerange default value is the one set by the user in preferences. Time-based search modifiers cannot be used as part of a form in a form search.

With extracted fields

Note:Form searches with extracted fields require that you add the where command to your search when identifying the extracted field to be used in the form.

The search:

can be made into a general (form) search for any trade id by adding a where command to your search containing the TradeID after the extracted field name and surrounding it with dollar signs:

Save this search as trade_entry, and a user running the search sees:

A user may change the TradeID to any value they want to search on.

Note that the timerange default value is the one set by the user in preferences. Time-based search modifiers cannot be used as part of a form in a form search.

Form searches with predefined values

You can also specify form searches that have a list of valid values. The form generated will show a drop-down list. For example, the search

sourcetype=_trade_entry AND TradeID:$Trade ID$ AND TradeType $TradeType=Accepted,Rejected,Hold$

This search limits TradeType to three values and presents them in a drop-down:

Valid values can also come from an external source. For example:

$user={/v3/custom/imap.users}$ 

Note: The external source must be accessible as a URL from the local domain. The file should live in $SPLUNK_HOME/share/splunk/search_oxiclean/static/html

Share your form search

Once you have refined your search, you can distribute it to your users.

Save it

• Save your search via the drop-down arrow next to the search box.
  • To select "Save search..." from the menu, you will need to click show as text to return to the search box.
  • You can share your saved search with all users.

Permalink it

• Once you have saved the search, you can permalink to the form search box.
  • View the saved search in the form view mode, and click the permalink option above the form search box. This will create a Permalink URL that you can send to other Splunk users.

Note: Splunk doesn't Uuencode its Permalink URLs. Some browsers may experience problems resolving Permalinks if they aren't Uuencoded.

• Was this topic useful?
• Post a comment