How to build an advanced form search
This documentation does not apply to the most recent version of Splunk. Click here for the latest version.
Contents
How to build an advanced form search
You can add a form search to any view using the advanced XML syntax. Advanced form searches use the ExtendedFieldSearch module in the search view template. To read more about search views, see Introduction to advanced views.
Add chrome
Start out your form search view by adding the chrome:
<view onunloadCancelJobs="False" autoCancelInterval="100">
<!-- autoCancelInterval is set here to 100 -->
<label>Sample search</label>
<module name="AccountBar" layoutPanel="appHeader"/>
<module name="AppBar" layoutPanel="navigationHeader"/>
<module name="Message" layoutPanel="messaging">
<param name="filter">*</param>
<param name="clearOnJobDispatch">False</param>
<param name="maxSize">1</param>
</module>
Next, decide what kind of form search you'd like to build and pick one or more of the following configurations.
Add a form search pattern
All form searches include a form search pattern, which is built with the following modules:
- HiddenSearch: Specify the base search for your form search. Make sure you wrap the token or tokens you'll be replacing in dollar signs.
- ExtendedFieldSearch: Maps the term for replacement from your search. Note that there are several params you must set.
- EventsViewer, or other module to display results.
This is the most simple configuration of the ExtendedFieldSearch module, fed by a HiddenSearch. Note that you also need to configure the params intention and replacementMap to set up the form input:
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">sourcetype=$st$</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="st">
<param name="default">apache_error</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="st">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Sourcetype</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
Advanced examples
There are many options for configuring and advanced form search. Here are a few examples to get you started.
Use wildcards
Here's an example that lets you wildcard your token.
...
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">sourcetype=apache_error *$target$*</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="target">
<param name="default">500</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="target">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Wildcard search</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
Use two variables
Here's an example that takes two separate tokens as input.
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">sourcetype=apache_error $error$ $hours_ago$</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="error">
<param name="fillOnEmpty">True</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="error">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Multiple replace (apache search)</param>
<module name="ExtendedFieldSearch">
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="hours_ago">
<param name="fillOnEmpty">True</param>
<param name="prefix">starthoursago=</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="hours_ago">
<param name="value"></param>
</param>
</param>
</param>
<param name="field">Multiple replace (starthoursago)</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
</module>
Use ORs
Here's an example that lets you build a search with ORs. The desired search string is:
eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" OR user="$User$"
Approximate this using the stringreplace intention's "prefix" and "suffix" params where $User$ is prefixed with 'OR user="' and suffixed with '"':
eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" $User$
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">eventtypetag=authentication tag=cardholder-dest src_ip="$SourceIP$" $User$</param>
<module name="ExtendedFieldSearch">
<param name="field">SourceIP</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="SourceIP">
<param name="fillOnEmpty">True</param>
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="SourceIP">
<param name="value"></param>
</param>
</param>
</param>
<module name="ExtendedFieldSearch">
<param name="field">User</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="User">
<param name="fillOnEmpty">True</param>
<param name="prefix">OR user="</param>
<param name="suffix">"</param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="User">
<param name="value"></param>
</param>
</param>
</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
</module>
Reuse the same token
This example reuses the same token for two different parts of the search:
...
<module name="HiddenSearch" layoutPanel="mainSearchControls">
<param name="search">eventtypetag=config_file source=$File$ OR $File$</param>
<module name="ExtendedFieldSearch">
<param name="field">File</param>
<param name="intention">
<param name="name">stringreplace</param>
<param name="arg">
<param name="File">
<param name="value"></param>
</param>
</param>
</param>
<param name="replacementMap">
<param name="arg">
<param name="File">
<param name="value"></param>
</param>
</param>
</param>
<module name="EventsViewer" layoutPanel="resultsAreaLeft">
<param name="segmentation">full</param>
</module>
</module>
</module>
...
This documentation applies to the following versions of Splunk: 4.1 , 4.1.1 , 4.1.2 , 4.1.3 , 4.1.4 , 4.1.5 , 4.1.6 , 4.1.7 , 4.1.8 View the Article History for its revisions.
Be careful if you use "?showsource=true" on an existing form search view, as the xml that will be displayed will switch the placements of the "replacementMap" and "intention" parameters. This mix-up doesn't cause splunk's xml checker to complain about the syntax, but you'll get a parser error when you try to run the search.