Build an advanced form search
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
Build an advanced form search
You can add a form search to any search view using the advanced form search XML syntax. Advanced form searches use the ExtendedFieldSearch module in a search view. To read more about search views, see here
Configuration
Start out your search view:
<view onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
<label>Sample search</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
Next, decide what kind of form search you'd like to do and pick one or more of the following configurations.
Basic search replacement example
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">sourcetype=$st$</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="st">
<param name="default">apache_error</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="st">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Sourcetype</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
Use wildcards
...
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">sourcetype=apache_error *$target$*</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="target">
<param name="default">500</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="target">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Wildcard search</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
Use two variables
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">sourcetype=apache_error $error$ $hours_ago$</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="error">
<param name="fillOnEmpty">True</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="error">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Multiple replace (apache search)</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="hours_ago">
<param name="fillOnEmpty">True</param>
<param name="prefix">starthoursago=</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="hours_ago">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Multiple replace (starthoursago)</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
</module>
Use ORs
The desired search string is:
eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" OR user="$User$"
Approximate this using the stringreplace intention's "prefix" and "suffix" params:
eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" $User$
where $User$ is prefixed with 'OR user="' and suffixed with '"'
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" $User$</param>
<module name="ExtendedFieldSearch">
<param name="field">SourceIP</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="SourceIP">
<param name="fillOnEmpty">True</param>
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="SourceIP">
<param name="value"></param>
</param>
</param>
</param>
<module name="ExtendedFieldSearch">
<param name="field">User</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="User">
<param name="fillOnEmpty">True</param>
<param name="prefix">OR user="</param>
<param name="suffix">"</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="User">
<param name="value"></param>
</param>
</param>
</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
</module>
reuse the same variable
...
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">eventtypetag=config_file source=$File$ OR $File$</param>
<module name="ExtendedFieldSearch">
<param name="field">File</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="File">
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="File">
<param name="value"></param>
</param>
</param>
</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
...
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">* | stats count by $st$</param>
<module name="ExtendedFieldSearch">
<param name="field">Count by field</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="st">
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="st">
<param name="value"></param>
</param>
</param>
</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
</view>
This documentation applies to the following versions of Splunk: 4.0 , 4.0.1 , 4.0.2 , 4.0.3 , 4.0.4 , 4.0.5 , 4.0.6 , 4.0.7 , 4.0.8 , 4.0.9 , 4.0.10 , 4.0.11 View the Article History for its revisions.