Form search examples
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Form search examples
Here are three examples showing how to build different types of form searches using the simplified XML. There are even more examples in the UI examples app. Download the UI examples app from Splunkbase here.
Simple table
This example shows how to create a simple form that searches for one field, sourcetype. Results from the search are displayed as a table with 50 rows maximum. Here's what this example looks like:
First, create the form, give it a label and craft the searchTemplate -- the search that will be the basis for the form:
<form> <label>Simple table</label> <searchTemplate>index=_internal source=*metrics.log group=per_sourcetype_thruput series="$sourcetype$" | head 1000</searchTemplate> <earliestTime>-30d</earliestTime> <latestTime>-0d</latestTime> ...
Next, optionally add some useful information, instructing your users in how to craft their search:
...
<html>
Enter a sourcetype in the field below and this view will pull back the most recent 1000 events from the metrics log concerning that sourcetype.
</html>
...
Then, set up an input. This example creates an input box that will replace the $sourcetype$ string in the searchTemplate above.
<fieldset>
<input token="sourcetype" />
</fieldset>
Finally, display your results.
<row>
<table>
<title>Matching events</title>
<option name="count">50</option>
</table>
</row>
</form>
Multiple inputs
This example takes multiple inputs to build a form search, as well as a time range picker to allow users to pick a time range for their search.
First, set up a searchTemplate that creates two tokens: $series$ and $otherFilter$. The search leaves time out, so users can select their own time from the added time range picker:
<form> <label>Multiple inputs</label> <searchTemplate>index=_internal source=*metrics.log group="per_sourcetype_thruput" series=$series$ $otherFilter$ | fields eps, kb, kbps</searchTemplate>
Now create a text box; upon first load, the box will be populated with 'splunkd'. If the user leaves the box empty, then the search will use '*'. Also, this example will always prepend the token 'otherFilter' with 'eps>' so if no value is entered, then 'eps>-1' will be inserted. Finally, the timerange picker is added:
<fieldset>
<input type="text" token="series">
<label>sourcetype</label>
<default></default>
<seed>splunkd</seed>
<suffix>*</suffix>
</input>
<input type="text" token="otherFilter">
<label>events per second greater than:</label>
<prefix>eps></prefix>
<default>-1</default>
<seed>0</seed>
</input>
<input type="time" />
</fieldset>
Now, display the results in a table with max results equal to 20:
<row>
<table>
<option name="showPager">true</option>
<option name="count">20</option>
</table>
</row>
</form>
Inverted flow
This form search is built backwards -- the input comes first and then feeds two separate charts and one table. The charts and table are built from a separate search, each with a searchTemplate that uses the 'sourcetypeToken' text box input. This examples is useful for rendering pages that collate disparate searches that share a common search keyword/token.
First, define a common form search input that will be used by all panels below:
<form>
<label>inverted flow, panel-defined search</label>
<fieldset>
<input type="text" token="sourcetypeToken">
<label>sourcetype</label>
<default>*</default>
<seed>splunkd</seed>
</input>
<input type="time" />
</fieldset>
Now, create two separate charts, each with a searchTemplate that uses the input from above with the $sourcetypeToken$:
<row>
<chart>
<title>KB Indexed over time</title>
<searchTemplate>index=_internal source=*metrics.log Component=metrics group="per_sourcetype_thruput" series="$sourcetypeToken$" | timechart sum(kb)</searchTemplate>
<option name="charting.chart">column</option>
<option name="charting.primaryAxisTitle.text">Sourcetype</option>
<option name="charting.secondaryAxisTitle.text">KB Indexed</option>
<option name="charting.legend.placement">none</option>
</chart>
<chart>
<title>Average events per second over time</title>
<searchTemplate>index=_internal source=*metrics.log Component=metrics group="per_sourcetype_thruput" series="$sourcetypeToken$" | timechart avg(eps)</searchTemplate>
<option name="charting.chart">area</option>
<option name="chart.stackMode">stacked</option>
<option name="charting.primaryAxisTitle.text">Sourcetype</option>
<option name="charting.secondaryAxisTitle.text">Events per second</option>
<option name="charting.legend.placement">none</option>
</chart>
</row>
Finally, display further results in a table, also using the searchTemplate that takes input from above with the $sourcetypeToken$:
<row>
<table>
<title>average kbps over time</title>
<searchTemplate>index=_internal source=*metrics.log Component=metrics group="per_sourcetype_thruput" series="$sourcetypeToken$" | timechart avg(kbps)</searchTemplate>
<option name="count">20</option>
</table>
</row>
</form>
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 , 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.
Comments
Download the UI examples from Splunkbase link links to a deprecated project.
yes, as is mentioned on the page it links to, you need the more up-to-date app, which is linked from there.